bcd7710be5
Adds a shell script that supports a subset of the 'pass' interface for compatibility with kontemplate, and wraps kontemplate in a script that places this version on the PATH. This makes it possible to use Cloud KMS encrypted secrets with kontemplate.
60 lines
1.3 KiB
Nix
60 lines
1.3 KiB
Nix
# This tool mimics a subset of the interface of 'pass', but uses
|
|
# Google Cloud KMS for encryption.
|
|
#
|
|
# It is intended to be compatible with how 'kontemplate' invokes
|
|
# 'pass.'
|
|
#
|
|
# Only the 'show' and 'insert' commands are supported.
|
|
|
|
{ google-cloud-sdk, tree, writeShellScriptBin
|
|
, project, region, keyring, key }:
|
|
|
|
writeShellScriptBin "pass" ''
|
|
set -eo pipefail
|
|
|
|
CMD="$1"
|
|
readonly SECRET=$2
|
|
readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
|
|
|
|
function secret_check {
|
|
if [[ -z $SECRET ]]; then
|
|
echo 'Secret must be specified'
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
if [[ -z $CMD ]]; then
|
|
CMD="ls"
|
|
fi
|
|
|
|
case "$CMD" in
|
|
ls)
|
|
${tree}/bin/tree $SECRETS_DIR
|
|
;;
|
|
show)
|
|
secret_check
|
|
${google-cloud-sdk}/bin/gcloud kms decrypt \
|
|
--project ${project} \
|
|
--location ${region} \
|
|
--keyring ${keyring} \
|
|
--key ${key} \
|
|
--ciphertext-file $SECRET_PATH \
|
|
--plaintext-file -
|
|
;;
|
|
insert)
|
|
secret_check
|
|
${google-cloud-sdk}/bin/gcloud kms encrypt \
|
|
--project ${project} \
|
|
--location ${region} \
|
|
--keyring ${keyring} \
|
|
--key ${key} \
|
|
--ciphertext-file $SECRET_PATH \
|
|
--plaintext-file -
|
|
echo "Inserted secret '$SECRET'"
|
|
;;
|
|
*)
|
|
echo "Usage: pass show/insert <secret>"
|
|
exit 1
|
|
;;
|
|
esac
|
|
''
|