Providers for Summon are easy to write. Given the identifier of a secret, they either return its value or an error.
There is the contract:
They take one and only one argument, the identifier of a secret (a string). The argument can also be a flag with value -v or --version. The provider must return his version on stdout.
If retrieval is successful, they return the value on stdout with exit code 0.
If an error occurs, they return an error message on stderr with a non-0 exit code.
The default path for providers is /usr/local/lib/summon/. If one provider is in that path, summon will use it. If multiple providers are in the path, you can specify which one to use with the --provider flag, or the environment variable SUMMON_PROVIDER. If your providers are placed outside the default path, give summon the full path to them.
Variable IDs are used as identifiers for fetching Secrets. These are made up of a secret name (required) and secret key path (optional).
The Vault CLI to retrieve a secret is
vault kv get -field=mysecretkeypath secret/name
This provider are 2 implemented formats for Variable ID:
secret/name#mysecretkeypath as used by AWS Secrets Manager provider
secret/name/mysecretkeypath as used by Keepass kdbx database file provider
So the two commands below return the same value
summon --provider vault4summon --yaml hello: !var secret/name#mysecretkeypath printenv hello
summon --provider vault4summon --yaml hello: !var secret/name/mysecretkeypath printenv hello
|