-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mask shell cmd rendering and add retrieve value fromVault template func
- Loading branch information
1 parent
44856ee
commit 13c1f3b
Showing
5 changed files
with
86 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
doc_meta: | | ||
folder: security | ||
title: mask senstive info in shell execution | ||
head: | | ||
When you use verbose level greater than vvv, it will print out the debugging final shell scripts rendered, which possiblly contains the secure vars. In such a case, upcmd will automatically mask the senstive variable with SECURE_SENSITIVE_INFO_MASKED | ||
sections: | ||
- title: Demo | ||
log: yes | ||
tasks: | ||
- | ||
name: task | ||
task: | ||
- | ||
func: shell | ||
dvars: | ||
- name: enc_key | ||
value: my_enc_key | ||
flags: | ||
- secret | ||
|
||
- name: value_encrypted | ||
value: '{{ "ENV_AAA" | encryptAES .enc_key }}' | ||
flags: | ||
- vvvv | ||
- taskScope | ||
|
||
- name: ENV_AAA | ||
value: '{{.value_encrypted}}' | ||
flags: | ||
- secure | ||
|
||
do: | | ||
echo "hello, this is a secrt value: {{.secure_ENV_AAA}}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
doc_meta: | | ||
folder: security | ||
title: retrieve secret from valut | ||
head: | | ||
When you put senstive information into vault, you can use a template func to retrieve it and use it in template rendering | ||
This example shows that you can not get the secret value in general cache, unless you use fromVault template func | ||
sections: | ||
- title: Demo | ||
log: yes | ||
tasks: | ||
- | ||
name: task | ||
task: | ||
- | ||
func: cmd | ||
dvars: | ||
- name: my_secret | ||
value: you_will_never_know | ||
flags: | ||
- secret | ||
|
||
do: | ||
- name: print | ||
cmd: | | ||
hello, this is a secrt value: {{.my_secret}} | ||
hello, this is a secrt value: {{ "my_secret" | fromVault}} | ||
hello, this is a secrt value: {{ "a_secret_does_not_exist_in_vault" | fromVault}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters