google_cloud_env_secrets 0.1.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +14 -5
- data/lib/google_cloud_env_secrets/config.rb +16 -0
- data/lib/google_cloud_env_secrets/railtie.rb +23 -8
- data/lib/google_cloud_env_secrets/secrets.rb +26 -6
- data/lib/google_cloud_env_secrets/version.rb +1 -1
- data/lib/tasks/google_cloud_env_secrets_tasks.rake +6 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0f6fb0a3005e03c0be10f2e423f049ec2c103f44696f43eb47f62bdfc5d4a109
|
|
4
|
+
data.tar.gz: c2111c2c4a8819321a1875c46651a16d847b1f6fb9e20d6ea821ae136571a38c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4a1a64482d17981bc421768820d5b07b40a5c6dd0a64c93b80f01bed0ae61b425a7938a2faf1b961b4401e25840d286dbd84ec191cb158d30a1902043a2b5722
|
|
7
|
+
data.tar.gz: 44d02eb848d40f9314d4d7fa4a16c2f57e1aa020b130d6843810b74245b11d5d96c6b2cc8c13651fd51b701c49068994ffc008a21b81dab6242c07733265853d
|
data/README.md
CHANGED
|
@@ -23,12 +23,20 @@ $ gem install google_cloud_env_secrets
|
|
|
23
23
|
|
|
24
24
|
Configure this gem with environment vars:
|
|
25
25
|
|
|
26
|
-
| Variable
|
|
27
|
-
|
|
28
|
-
| `GOOGLE_APPLICATION_CREDENTIALS`
|
|
29
|
-
| `GOOGLE_PROJECT`
|
|
30
|
-
| `GOOGLE_SECRETS_PREFIX`
|
|
26
|
+
| Variable | Description |
|
|
27
|
+
|---------------------------------------|--------------------------------------------------------------------|
|
|
28
|
+
| `GOOGLE_APPLICATION_CREDENTIALS` | Google Application Credentials, path or data (not base64 encoded). |
|
|
29
|
+
| `GOOGLE_PROJECT` | Google project |
|
|
30
|
+
| `GOOGLE_SECRETS_PREFIX` | Only load secrets that start with given prefix. |
|
|
31
|
+
| `GOOGLE_SECRETS_OVERLOAD` | Replace existing ENV vars with secret's value. Default `true`. |
|
|
31
32
|
|
|
33
|
+
The `GOOGLE_APPLICATION_CREDENTIALS` and `GOOGLE_PROJECT` variables are both optional. If not given,
|
|
34
|
+
we will detect them automatically, if run on Google Cloud.
|
|
35
|
+
|
|
36
|
+
Google Secrets are available after the [before_configuration hook](https://guides.rubyonrails.org/configuring.html#initialization-events).
|
|
37
|
+
You can call `GoogleCloudEnvSecrets.load` if you need the ENV secrets sooner than that.
|
|
38
|
+
|
|
39
|
+
See [docs](https://www.rubydoc.info/github/mattes/rails_google_cloud_env_secrets/main), too.
|
|
32
40
|
|
|
33
41
|
## Required IAM Roles
|
|
34
42
|
|
|
@@ -36,3 +44,4 @@ Configure this gem with environment vars:
|
|
|
36
44
|
Secret Manager Secret Accessor
|
|
37
45
|
Secret Manager Viewer
|
|
38
46
|
```
|
|
47
|
+
|
|
@@ -1,12 +1,16 @@
|
|
|
1
|
+
require "json"
|
|
2
|
+
|
|
1
3
|
module GoogleCloudEnvSecrets
|
|
2
4
|
class Configuration
|
|
3
5
|
attr_accessor :project
|
|
4
6
|
attr_accessor :credentials
|
|
5
7
|
attr_accessor :cache_secrets
|
|
6
8
|
attr_accessor :prefix
|
|
9
|
+
attr_accessor :overload
|
|
7
10
|
|
|
8
11
|
def initialize
|
|
9
12
|
@cache_secrets = true
|
|
13
|
+
@overload = true
|
|
10
14
|
end
|
|
11
15
|
end
|
|
12
16
|
|
|
@@ -18,4 +22,16 @@ module GoogleCloudEnvSecrets
|
|
|
18
22
|
self.configuration ||= Configuration.new
|
|
19
23
|
yield(configuration)
|
|
20
24
|
end
|
|
25
|
+
|
|
26
|
+
def self.parse_project_from_credentials(credentials)
|
|
27
|
+
if File.exist?(credentials)
|
|
28
|
+
j = JSON.parse(File.read(credentials))
|
|
29
|
+
return j["project_id"]
|
|
30
|
+
else
|
|
31
|
+
j = JSON.parse(credentials)
|
|
32
|
+
return j["project_id"]
|
|
33
|
+
end
|
|
34
|
+
rescue
|
|
35
|
+
nil
|
|
36
|
+
end
|
|
21
37
|
end
|
|
@@ -1,14 +1,29 @@
|
|
|
1
1
|
module GoogleCloudEnvSecrets
|
|
2
2
|
class Railtie < ::Rails::Railtie
|
|
3
|
-
initializer "google_cloud_env_secrets.initialize", after: :bootstrap_hook do |app|
|
|
4
|
-
GoogleCloudEnvSecrets.configure do |config|
|
|
5
|
-
config.credentials = ENV["GOOGLE_APPLICATION_CREDENTIALS"] || nil
|
|
6
|
-
config.project = ENV["GOOGLE_PROJECT"] || Google::Cloud.env.project_id
|
|
7
|
-
config.prefix = ENV["GOOGLE_SECRETS_PREFIX"] || nil
|
|
8
|
-
end
|
|
9
3
|
|
|
10
|
-
|
|
11
|
-
|
|
4
|
+
# load Google Secrets during Rails `before_configuration` hook
|
|
5
|
+
config.before_configuration do
|
|
6
|
+
GoogleCloudEnvSecrets.load
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
rake_tasks do
|
|
10
|
+
load "tasks/google_cloud_env_secrets_tasks.rake"
|
|
12
11
|
end
|
|
13
12
|
end
|
|
13
|
+
|
|
14
|
+
# load Google Secrets into ENV
|
|
15
|
+
def self.load
|
|
16
|
+
GoogleCloudEnvSecrets.configure do |config|
|
|
17
|
+
config.credentials = ENV["GOOGLE_APPLICATION_CREDENTIALS"] || nil
|
|
18
|
+
config.project = ENV["GOOGLE_PROJECT"] || GoogleCloudEnvSecrets.parse_project_from_credentials(config.credentials) || Google::Cloud.env.project_id
|
|
19
|
+
config.prefix = ENV["GOOGLE_SECRETS_PREFIX"] || nil
|
|
20
|
+
|
|
21
|
+
if ENV.has_key?("GOOGLE_SECRETS_OVERLOAD")
|
|
22
|
+
config.overload = ENV["GOOGLE_SECRETS_OVERLOAD"]&.to_s&.downcase == "true"
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
secrets = GoogleCloudEnvSecrets.all
|
|
27
|
+
GoogleCloudEnvSecrets.inject_env!(secrets, GoogleCloudEnvSecrets.configuration.overload)
|
|
28
|
+
end
|
|
14
29
|
end
|
|
@@ -2,10 +2,21 @@ module GoogleCloudEnvSecrets
|
|
|
2
2
|
def self.all
|
|
3
3
|
@secrets = nil unless self.configuration.cache_secrets
|
|
4
4
|
@secrets ||= begin
|
|
5
|
+
# Skip if not running on Google Cloud and credentials are not set explicitly
|
|
6
|
+
if self.configuration.credentials.nil? && Google::Cloud.env.project_id.nil?
|
|
7
|
+
return {}
|
|
8
|
+
end
|
|
9
|
+
|
|
5
10
|
# Configure and initialize
|
|
6
11
|
# https://googleapis.dev/ruby/google-cloud-secret_manager/latest/Google/Cloud/SecretManager.html
|
|
7
12
|
Google::Cloud::SecretManager.configure do |config|
|
|
8
|
-
|
|
13
|
+
if self.configuration.credentials
|
|
14
|
+
if File.exist?(self.configuration.credentials)
|
|
15
|
+
config.credentials = self.configuration.credentials # load by file
|
|
16
|
+
else
|
|
17
|
+
config.credentials = JSON.parse(self.configuration.credentials) # load data
|
|
18
|
+
end
|
|
19
|
+
end
|
|
9
20
|
end
|
|
10
21
|
|
|
11
22
|
client = Google::Cloud::SecretManager.secret_manager_service
|
|
@@ -38,17 +49,26 @@ module GoogleCloudEnvSecrets
|
|
|
38
49
|
|
|
39
50
|
secrets
|
|
40
51
|
end
|
|
41
|
-
|
|
52
|
+
|
|
53
|
+
@secrets || {}
|
|
42
54
|
end
|
|
43
55
|
|
|
44
56
|
def self.find(name)
|
|
45
|
-
self.all
|
|
46
|
-
|
|
57
|
+
self.all[name.to_s]
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
def self.exist?(name)
|
|
61
|
+
self.all.has_key?(name.to_s)
|
|
47
62
|
end
|
|
48
63
|
|
|
49
|
-
def self.inject_env!(secrets = {})
|
|
64
|
+
def self.inject_env!(secrets = {}, overload = true, env = ENV)
|
|
50
65
|
secrets.each do |name, value|
|
|
51
|
-
|
|
66
|
+
name = name.to_s
|
|
67
|
+
if overload
|
|
68
|
+
env[name] = value
|
|
69
|
+
else
|
|
70
|
+
env[name] ||= value
|
|
71
|
+
end
|
|
52
72
|
end
|
|
53
73
|
end
|
|
54
74
|
end
|
|
@@ -1,5 +1,9 @@
|
|
|
1
1
|
desc "Fetch Google Cloud Secret"
|
|
2
2
|
task :google_cloud_secret do
|
|
3
|
-
name =
|
|
4
|
-
|
|
3
|
+
name = ENV["NAME"].strip
|
|
4
|
+
|
|
5
|
+
fail "#{name} not found" unless GoogleCloudEnvSecrets.exist?(name)
|
|
6
|
+
|
|
7
|
+
$stdout.sync = true
|
|
8
|
+
print GoogleCloudEnvSecrets.find(name)
|
|
5
9
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: google_cloud_env_secrets
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Matthias Kadenbach
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-10-
|
|
11
|
+
date: 2020-10-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|