tvl-depot/tools/kms_pass/default.nix
Vincent Ambo bcd7710be5 feat(tools): Introduce pass-compatible wrapper using Cloud KMS
Adds a shell script that supports a subset of the 'pass' interface for
compatibility with kontemplate, and wraps kontemplate in a script that
places this version on the PATH.

This makes it possible to use Cloud KMS encrypted secrets with kontemplate.
2019-09-03 16:12:30 +01:00

60 lines
1.3 KiB
Nix

# This tool mimics a subset of the interface of 'pass', but uses
# Google Cloud KMS for encryption.
#
# It is intended to be compatible with how 'kontemplate' invokes
# 'pass.'
#
# Only the 'show' and 'insert' commands are supported.
{ google-cloud-sdk, tree, writeShellScriptBin
, project, region, keyring, key }:
writeShellScriptBin "pass" ''
set -eo pipefail
CMD="$1"
readonly SECRET=$2
readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
function secret_check {
if [[ -z $SECRET ]]; then
echo 'Secret must be specified'
exit 1
fi
}
if [[ -z $CMD ]]; then
CMD="ls"
fi
case "$CMD" in
ls)
${tree}/bin/tree $SECRETS_DIR
;;
show)
secret_check
${google-cloud-sdk}/bin/gcloud kms decrypt \
--project ${project} \
--location ${region} \
--keyring ${keyring} \
--key ${key} \
--ciphertext-file $SECRET_PATH \
--plaintext-file -
;;
insert)
secret_check
${google-cloud-sdk}/bin/gcloud kms encrypt \
--project ${project} \
--location ${region} \
--keyring ${keyring} \
--key ${key} \
--ciphertext-file $SECRET_PATH \
--plaintext-file -
echo "Inserted secret '$SECRET'"
;;
*)
echo "Usage: pass show/insert <secret>"
exit 1
;;
esac
''