Last active
November 28, 2024 18:07
-
-
Save mttjohnson/18b6b981a8244448d7c4a879d7398b81 to your computer and use it in GitHub Desktop.
Load Secret Environment Variables from 1Password
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Load environment secrets with with 1Password CLI Injection | |
# | |
# Used with load_secrets.sh | |
# source load_secrets.sh | |
# AWS Service Account Credentials | |
AWS_ACCESS_KEY_ID={{ op://$OP_VAULT/$INF_PROJECT.aws_access_key/username }} | |
AWS_SECRET_ACCESS_KEY={{ op://$OP_VAULT/$INF_PROJECT.aws_access_key/password }} | |
# Project Secrets | |
GPG_PASSPHRASE={{ op://$OP_VAULT/$INF_PROJECT.gpg_passphrase/password }} | |
# Implementation Secrets | |
TF_VAR_gpg_passphrase={{ op://$OP_VAULT/$INF_PROJECT.$INF_IMPLEMENTATION.gpg_passphrase/password }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Configuration environment variables | |
# | |
# Used with load_secrets.sh | |
# | |
# A default template of this file could be tracked in a git repo and individual | |
# operators could override default config values where they are specific to them | |
# such as 1Password account or vault, and project or implementation value used. | |
# | |
# Replace xxxxx_placeholder_xxxxx with the config value you wnat to use | |
# TIP: Finding secret uuid by looking for any entry in your Private vualt with a title containing "aws" | |
# op account list | |
# op item list --account "${ONEPASS_ACCOUNT}" --vault Private | grep -i aws | |
# TIP: Finding field name in entry | |
# op item get "${AWS_CRED_ONEPASS_UUID}" --account "${ONEPASS_ACCOUNT}" | |
# op item get "${AWS_CRED_ONEPASS_UUID}" --account "${ONEPASS_ACCOUNT}" --field "label=${AWS_CRED_ONEPASS_ACCESSID_FIELD_NAME}" | |
# Infrastructure Configuration | |
INF_PROJECT="xxxxx_project_name_xxxxx" | |
INF_IMPLEMENTATION="xxxxx_implementation_name_xxxxx" | |
# Environment variables to pass to Terraform | |
TF_VAR_inf_tag="${INF_PROJECT}" | |
TF_VAR_implementation_tag="${INF_IMPLEMENTATION}" | |
# 1Password Account/Vault Configuration | |
OP_ACCOUNT="xxxxx_1password_account_xxxxx" | |
OP_VAULT="xxxxx_vault_name_xxxxx" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Text Color Variables | |
# --------------------------------------------------------------- | |
# Reset | |
Color_Off='\033[0m' # Text Reset | |
# Regular Colors | |
Yellow='\033[0;33m' # Yellow | |
YellowBlink='\033[5;33m' # Yellow (blinking) | |
Cyan='\033[0;36m' # Cyan | |
# Bold | |
BRed='\033[1;31m' # Red | |
# Check to make sure this script is being sourced, if not abort with error | |
sourced=0 | |
if [ -n "$ZSH_EVAL_CONTEXT" ]; then | |
case $ZSH_EVAL_CONTEXT in *:file) sourced=1;; esac | |
elif [ -n "$BASH_VERSION" ]; then | |
(return 0 2>/dev/null) && sourced=1 | |
fi | |
if [ "${sourced}" = "0" ]; then | |
echo -e "${BRed}[ERROR] Script must be sourced${Color_Off}" | |
echo -e "${YellowBlink} source ${0##*/}${Color_Off}" | |
exit 1 | |
fi | |
# Load secrets into environment variables for this shell session | |
# --------------------------------------------------------------- | |
# Load configuration from .env-config | |
set -o allexport | |
source .env-config | |
set +o allexport | |
# OP_ACCOUNT="xxxxxx_set_from_.env-config_xxxxxx" | |
# catch and ignore any SIGINT that hits this script so that it doesn't kill the parent process | |
trap return 0 SIGINT | |
# Check if an existing 1Password CLI session exists, otherwise Login to 1Password CLI | |
if ! op account get --account "${OP_ACCOUNT}" > /dev/null 2>&1; then | |
ONEPASS_SIGNIN_SESSION=$(op signin --account "${OP_ACCOUNT}" --raw) | |
if [[ ! -z "${ONEPASS_SIGNIN_SESSION}" ]]; then | |
export "OP_SESSION_${OP_ACCOUNT}=${ONEPASS_SIGNIN_SESSION}" | |
else | |
echo -e "${BRed}[ERROR] login failed! ...exiting safely${Color_Off}" | |
return 0 | |
fi | |
fi | |
# Use 1Password to inject secrets into environment variables | |
echo -e "${Cyan}...extracting secrets from 1Password and loading into environment variables...${Color_Off}" | |
set -o allexport | |
source <(op inject -i .env-1password --account "${OP_ACCOUNT}" && op signout) | |
set +o allexport |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment