I have saved azure storage key in key vault and i want to retrieve the key using Azure cli and set it as env. variable in window cmd before i run terraform script.
Below listed command doesn't work, can anyone tell me what needs to be changed ?
set ARM_ACCESS_KEY=$(az keyvault secret show --name terraform-backend-key --vault-name myKeyVault)
Error on initializing
Main.tf
variable "count" {}
variable "prefix" {
default="RG"
}
terraform {
backend "azurerm" {
container_name = "new"
storage_account_name = "mfarg"
key = "terraform.tfstate"
}}
resource "azurerm_resource_group" "test" {
count ="${var.count}"
name = "${var.prefix}-${count.index}"
location = "West US 2"
}
Command prompt output
To set the environment variable in Windows, I suggest you use the PowerShell command to achieve it. In PowerShell, you can just do it like this:
$env:ACCESS_KEY=$(az keyvault secret show -n terraform-backend-key --vault-name myKeyVault --query value -o tsv)
Also, in your CLI command, you could not show the secret directly, it outputs the whole secret not just the access key as you want. See the difference between the two commands.
A late answer, but perhaps useful to those who still have the same problem.
This method will work in windows Command prompt, cmd.
For /f %%i in ('az keyvault secret show --vault-name "Your-KeyVault-Name" --name "Your-Secret-Name" --query "value"') do set "password=%%i"
Now if you just run "echo %password%" you will see your secret value.
Remember that az command has to be between ' ', like 'az keyvault secret etc'.
Related
I am trying to integrate aws secret manager with Docker. I have to call secret manager and set response JSON to the ENV.
My JSON looks like this
{
"username": "demo_user",
"password": "some_password"
}
I am trying below steps to set ENV
Dockerfile
RUN export secretData=$(aws secretsmanager get-secret-value --secret-id /secret/id --region region-example-north-1);echo $secretData;
RUN bash -l -c 'echo export $secretData="$(aws secretsmanager get-secret-value --secret-id /secret/id --region region-example-north-1)" >> /etc/bash.bashrc'
Both methods of RUN didn't work for me. I want output something like ENV RUN export secretData
My Env variables are username and password so further this output will be stored in each variable respectively
Thanks is advance for each reply.
Sorry, Noobie here. Perhaps it is a very easy and obvious answer but I am trying to store an extensive list of keyvault secrets and am looking for an easy-ish way to do it compared with entering each one at a time. I figure using the CLI would be a quicker way to get this done than the Azure Resource Manager interface.
If by "ARM Interface" you mean a template, there is a template already written for this case: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-secret-create
Don't know if this will actually help anyone because its so basic but I ended up creating a for loop script in bash that takes the input files as variables and dynamically creates the keyvault and populates said keyvault with the values based on the values.txt name.
running:
bash keyvault_creator.sh key.txt vault1.txt
runs:
#!/bin/bash
key=$1
value=$2
az keyvault create --location <location> --name "${value%.*}" --resource-group <ResourceGroupName>
paste $key $value | while read if of; do
echo "$if" "$of"
az keyvault secret set --vault-name "${value%.*}" --name "$if" --value "$of"
done
I am trying to create a config file using a bash task in Azure Devops. The variables come from azure keyvault, so I don't know which variables are defined and which ones are undefined.
- script: |
touch config.txt
echo "1. $(MyDefinedVariable)" >> config.txt
echo "2. $(MyUndefinedVariable)" >> config.txt
cat config.txt
Since MyUndefinedVariable is not defined, the pipeline doesn't substitute $(MyUndefinedVariable), resulting in a bash error MyUndefinedVariable: command not found.
I have tried using the env argument to use bash variables but I get the same error since "$(MyUndefinedVariable)" is being passed in to the bash environment.
- script: |
touch config.txt
echo "1. $MY_DEFINED_VARIABLE" >> config.txt
echo "2. $MY_UNDEFINED_VARIABLE" >> config.txt
cat config.txt
env:
MY_DEFINED_VARIABLE: $(MyDefinedVariable)
MY_UNDEFINED_VARIABLE: $(MyUndefinedVariable)
I just want undefined variables to resolve to an empty string but can't find a sensible way to do it.
All variables mapped from Azure KeyVault are considered as secrets so mapping like this one is necessary:
env:
MY_DEFINED_VARIABLE: $(MyDefinedVariable)
MY_UNDEFINED_VARIABLE: $(MyUndefinedVariable)
I'm afraid that if you are not aware of values in your KeyVault you need to use Azure CLI to check this. To checks all secret keys you can use this command:
az keyvault secret list [--id]
[--maxresults]
[--query-examples]
[--subscription]
[--vault-name]
You can combine this CLI with Azure CLI task.
I need create a MariaDB docker container, but need set the root password, but the password is set using a argument from the command line, it is very dangerous for the storage in the .bash_history.
I try use secrets using print pass | docker secret create mysql-root -, but have the same problem, the password is saved into .bash_history. The docker secret is not very secret.
I try use an interactive command:
while read -e line; do printf $line | docker secret create mysql-root -; break; done;
But, is very ugly xD. Why is a beter way to create a docker secret without save it into bash history but without remove all bash history?
The simplest way I have found is to use the following:
docker secret create private_thing -
Then enter the secret on the command line, followed by Ctrl-D twice.
You could try
printf $line | sudo docker secret create MYSQL_ROOT_PASSWORD -
and then
docker run --name some-mysql -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql-root -d mariadb:tag
The information concerning using secrets with MariaDB can be found on the MariaDB page of DockerHub.
"Docker Secrets
As an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/<secret_name> files. For example:
$ docker run --name some-mysql -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql-root -d mariadb:tag
Currently, this is only supported for MYSQL_ROOT_PASSWORD, MYSQL_ROOT_HOST, MYSQL_DATABASE, MYSQL_USER, and MYSQL_PASSWORD"
You can use openssl rand option to generate a random string and pass to docker secret command i.e
openssl rand -base64 10| docker secret create my_sec -
The openssl rand option will generate 10 byte base64 encoded random string.
I added the following configuration in spark-env
--configurations '[
{
"Classification": "spark-env",
"Properties": {},
"Configurations": [
{
"Classification": "export",
"Properties": {
"MY_VARIABLE": "MY_VARIABLE"
}
}
]
}
]'
But if I just do echo $MY_VARIABLE in bash I can't see them in the terminal.
Basically what I want to do is the following:
schedule the creation of an AWS EMR cluster with AWS Lambda (where I would set all my environment variables such as git credentials)
in the bootstrapping of the machine, install a bunch of things, including git
git clone a repository (so I need to use the credentials stored in the environment variables)
execute some code from this repository
Pass the environment variables as arguments to the bootstrap action.
the reason why you can't find MY_VARIABLE using echo is because MY_VARIABLE is only available to the spark-env.
Assuming you are using pyspark, if you open a pyspark shell (whilst you are ssh'd into one of the nodes of your cluster) and you try to type os.getenv("MY_VARIABLE") you'll see the value of you assigned to that variable.
An alternative solution for your use case would be: instead of using credentials (which in general is not the preferred way), you could use a set of keys that allows you to clone a repo with SSH (rather than https). You can store those keys in aws ssm and retrieve those in the EMR bootstrap script. An example could be:
bootstrap.sh
export SSM_VALUE=$(aws ssm get-parameter --name $REDSHIFT_DWH_PUBLIC_KEY --with-decryption --query 'Parameter.Value' --output text)
echo $SSM_VALUE >> $AUTHORIZED_KEYS
In my case, I needed to connect to a Redshift instance, but this would work nicely also with your use case.
Alessio