Skip to content

Instantly share code, notes, and snippets.

@cfg
Created May 6, 2019 14:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cfg/7228d7db73d88b43619805279fa9ccb1 to your computer and use it in GitHub Desktop.
Save cfg/7228d7db73d88b43619805279fa9ccb1 to your computer and use it in GitHub Desktop.
Storing sensitive environment variables the keychain, selectively setting them on a per-application basis.
source ~/bash.includes/keychain-environment-variables.sh
function aws-vault() {
/usr/local/bin/aws-vault-wrapper "$@"
}
# example wrapper
## function cloudns-api() {
## (
## export CLOUDNS_API_ID=$(keychain-environment-variable CLOUDNS_API_ID)
## export CLOUDNS_PASSWORD=$(keychain-environment-variable CLOUDNS_PASSWORD)
##
## /usr/local/bin/cloudns_api.sh "$@"
##
## unset CLOUDNS_API_ID CLOUDNS_PASSWORD
## )
## }
#!/usr/bin/env bash
source ~/bash.includes/keychain-environment-variables.sh
(
export CLOUDFLARE_EMAIL=$(keychain-environment-variable CLOUDFLARE_EMAIL)
export CLOUDFLARE_TOKEN=$(keychain-environment-variable CLOUDFLARE_TOKEN)
export GITHUB_TOKEN=$(keychain-environment-variable GITHUB_TOKEN)
/usr/local/bin/aws-vault "$@"
unset CLOUDFLARE_EMAIL CLOUDFLARE_TOKEN GITHUB_TOKEN
)
# Source: https://gist.github.com/bmhatfield/f613c10e360b4f27033761bbee4404fd
### Functions for setting and getting environment variables from the OSX keychain
### Adapted from https://www.netmeister.org/blog/keychain-passwords.html
# Use: keychain-environment-variable SECRET_ENV_VAR
function keychain-environment-variable () {
if [ -z "$1" ] ; then
echo "Missing environment variable name. Usage $FUNCNAME[0] <varname>"
return 1
fi
security find-generic-password -w -a ${USER} -D "environment variable" -s "${1}"
}
# Use: set-keychain-environment-variable SECRET_ENV_VAR
# provide: super_secret_key_abc123
function set-keychain-environment-variable () {
if [ -z "$1" ] ; then
echo "Missing environment variable name. Usage $FUNCNAME[0] <varname> [<silent>]"
return 1
fi
[ -n "$2" ] && SILENT="-s" || SILENT=""
# Note: if using bash, use `-p` to indicate a prompt string, rather than the leading `?`
read $SILENT -p "Enter Value for ${1}: " secret
( [ -n "$1" ] && [ -n "$secret" ] ) || return 1
security add-generic-password -U -a ${USER} -D "environment variable" -s "${1}" -w "${secret}"
unset secret
}
############################################################
## Pattern 1 - a binary that you're tweaking, and you don't want to constantly `source ~/.bashrc`
# 1. Wrap the binary in a function in ~/.bashrc
############################################################
## function aws-vault() {
## /usr/local/bin/aws-vault-wrapper "$@"
## }
# 2. Create /usr/local/bin/foo-wrapper
############################################################
## #!/usr/bin/env bash
## # Load the keychain environment variable helper functions
## source ~/bash.includes/keychain-environment-variables.sh
##
## # Start a subshell - this prevents the new environment variables from being
## # exposed if the wrapped program exits prematurely
## (
## export CLOUDFLARE_EMAIL=$(keychain-environment-variable CLOUDFLARE_EMAIL)
## export CLOUDFLARE_TOKEN=$(keychain-environment-variable CLOUDFLARE_TOKEN)
## export GITHUB_TOKEN=$(keychain-environment-variable GITHUB_TOKEN)
##
## /usr/local/bin/aws-vault "$@"
##
## # Unset environment variables - not really necessary because they go away when the subshell terminates
## unset CLOUDFLARE_EMAIL CLOUDFLARE_TOKEN GITHUB_TOKEN
## )
## # ^ end of subshell
##
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment