Secrets
Overview
The bns secrets
command is the one needed to encrypt or decrypt secret values, that can be further used in environment configurations, for your organization.
The command can be used to:
- encrypt standalone values
- decrypt encrypted expressions
- encrypt all the values in an environment configuration
- decrypt all the encrypted expressions in an environment configuration
Use case
You can use the secrets
subcommand to manage the secret variables used in organization templates, inspect encrypted existing expressions programatically through the CLI or to decrypt environments definition fetched through the CLI.
Bunnyshell Secrets
Usage:
bns secrets [command]
Aliases:
secrets, sec
Available Commands:
decrypt Decrypts a secret expression of the given organization
decrypt-definition Decrypts an environment definition for the given organization
encrypt Encrypts a secret for the given organization
encrypt-definition Encrypts an environment definition for the given organization
Encrypt standalone values
$ bns secrets encrypt "my password" --organization vK4JwdXoGE
Expression | ENCRYPTED[s2mLeWJUG2THBOz0qcfRFzCH7vJPxaI8v8jHFWqiZvDilZFkY3FyZHM=]
$ cat mysecret.txt
my password
$ cat mysecret.txt | bns secrets encrypt --organization vK4JwdXoGE
Expression | ENCRYPTED[s2mLeWJUG2THBOz0qcfRFzCH7vJPxaI8v8jHFWqiZvDilZFkY3FyZHM=]
Decrypt encrypted expressions
$ bns secrets decrypt "ENCRYPTED[s2mLeWJUG2THBOz0qcfRFzCH7vJPxaI8v8jHFWqiZvDilZFkY3FyZHM=]" --organization vK4JwdXoGE
Value | my password
$ cat encrypted.txt
ENCRYPTED[ENCRYPTED[s2mLeWJUG2THBOz0qcfRFzCH7vJPxaI8v8jHFWqiZvDilZFkY3FyZHM=]]
$ cat encrypted.txt | bns secrets decrypt --organization vK4JwdXoGE
Value | my password
Encrypt an environment definition
$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: SECRET['my password']
$ bns secrets encrypt-definition --file /path/to/stage.yaml --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: 'ENCRYPTED[tqzw/u8m/6W0fkUEn84n4d9UBfv1D0BNjUpdXLi3DdURRgki6gkl4pWRbXQ2c3Rq]'
$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: SECRET['my password']
$ cat /path/to/stage.yaml | bns secrets encrypt-definition --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: 'ENCRYPTED[tqzw/u8m/6W0fkUEn84n4d9UBfv1D0BNjUpdXLi3DdURRgki6gkl4pWRbXQ2c3Rq]'
Decrypt an environment definition
By default, the decryption will transform the decrypted secrets into SECRET
expressions. Providing the --resolved
flag, the secrets will be written as standalone values.
$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: 'ENCRYPTED[+HcI3i28UnnOHwhn3mSSXgHzL+hsjTovXr8TieuWALHilZFtdDZzdGo=]'
$ bns secrets decrypt-definition --file /path/to/stage.yaml --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: 'SECRET[''my password'']'
$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: 'ENCRYPTED[+HcI3i28UnnOHwhn3mSSXgHzL+hsjTovXr8TieuWALHilZFtdDZzdGo=]'
$ cat /path/to/stage.yaml | bns secrets decrypt-definition --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: 'SECRET[''my password'']'
$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: 'ENCRYPTED[+HcI3i28UnnOHwhn3mSSXgHzL+hsjTovXr8TieuWALHilZFtdDZzdGo=]'
$ bns secrets decrypt-definition --file /path/to/stage.yaml --resolved --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
FOO: 'my secret'
Updated 11 months ago