Overview

The bns secrets command is the one needed to encrypt or decrypt secret values, that can be further used in environment configurations, for your organization.

The command can be used to:

  • encrypt standalone values
  • decrypt encrypted expressions
  • encrypt all the values in an environment configuration
  • decrypt all the encrypted expressions in an environment configuration

Use case

You can use the secrets subcommand to manage the secret variables used in organization templates, inspect encrypted existing expressions programatically through the CLI or to decrypt environments definition fetched through the CLI.

Bunnyshell Secrets

Usage:
  bns secrets [command]

Aliases:
  secrets, sec

Available Commands:
  decrypt            Decrypts a secret expression of the given organization
  decrypt-definition Decrypts an environment definition for the given organization
  encrypt            Encrypts a secret for the given organization
  encrypt-definition Encrypts an environment definition for the given organization

Encrypt standalone values

$ bns secrets encrypt "my password" --organization vK4JwdXoGE
Expression | ENCRYPTED[s2mLeWJUG2THBOz0qcfRFzCH7vJPxaI8v8jHFWqiZvDilZFkY3FyZHM=]
$ cat mysecret.txt
my password

$ cat mysecret.txt | bns secrets encrypt --organization vK4JwdXoGE
Expression | ENCRYPTED[s2mLeWJUG2THBOz0qcfRFzCH7vJPxaI8v8jHFWqiZvDilZFkY3FyZHM=]

Decrypt encrypted expressions

$ bns secrets decrypt "ENCRYPTED[s2mLeWJUG2THBOz0qcfRFzCH7vJPxaI8v8jHFWqiZvDilZFkY3FyZHM=]" --organization vK4JwdXoGE
Value | my password
$ cat encrypted.txt
ENCRYPTED[ENCRYPTED[s2mLeWJUG2THBOz0qcfRFzCH7vJPxaI8v8jHFWqiZvDilZFkY3FyZHM=]]

$ cat encrypted.txt | bns secrets decrypt --organization vK4JwdXoGE
Value | my password

Encrypt an environment definition

$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: SECRET['my password']

$ bns secrets encrypt-definition --file /path/to/stage.yaml --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: 'ENCRYPTED[tqzw/u8m/6W0fkUEn84n4d9UBfv1D0BNjUpdXLi3DdURRgki6gkl4pWRbXQ2c3Rq]'
$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: SECRET['my password']

$ cat /path/to/stage.yaml | bns secrets encrypt-definition --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: 'ENCRYPTED[tqzw/u8m/6W0fkUEn84n4d9UBfv1D0BNjUpdXLi3DdURRgki6gkl4pWRbXQ2c3Rq]'

Decrypt an environment definition

By default, the decryption will transform the decrypted secrets into SECRET expressions. Providing the --resolved flag, the secrets will be written as standalone values.

$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: 'ENCRYPTED[+HcI3i28UnnOHwhn3mSSXgHzL+hsjTovXr8TieuWALHilZFtdDZzdGo=]'

$ bns secrets decrypt-definition --file /path/to/stage.yaml --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: 'SECRET[''my password'']'
$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: 'ENCRYPTED[+HcI3i28UnnOHwhn3mSSXgHzL+hsjTovXr8TieuWALHilZFtdDZzdGo=]'

$ cat /path/to/stage.yaml | bns secrets decrypt-definition --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: 'SECRET[''my password'']'
$ cat /path/to/stage.yaml
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: 'ENCRYPTED[+HcI3i28UnnOHwhn3mSSXgHzL+hsjTovXr8TieuWALHilZFtdDZzdGo=]'

$ bns secrets decrypt-definition --file /path/to/stage.yaml --resolved --organization vK4JwdXoGE
kind: Environment
name: Secrets
type: primary
environmentVariables:
    FOO: 'my secret'