Summon with pass (password store) as a provider

kqvanity · October 12, 2024, 10:45pm

I’m currently using summon to inject environment variables that are saved in pass (loading them permanently in my shell profile slowes it down).
Because I might use certain commands quite often, I extended gpg-agent cache period to about 24H to avoid entering gpg master password, however when using it with summon, it keeps either prompting me for the password, or halting with an error message

Error fetching variable OPENAI_API_KEY: exit status 2: gpg: public key decryption failed: Cannot allocate memory
gpg: decryption failed: Cannot allocate memory

I have two questions

Is there a way for summon to acknowledge the caching duration
I’m using summon to provide just-in-time env variables obtained from the pass command for CLI tools that need API keys present (some of them support env files, but I wanted to have a centralized location/password manager instead). Is that a idiomatic use of summon, or am I use the wrong tool for the job.

Thanks

kumbirai · October 15, 2024, 3:38pm

Summon was designed to retrieve secrets from various backends (e.g., pass) at runtime, so this use case aligns with the tool’s intent.

Summon itself doesn’t directly manage GPG-agent’s cache behaviour. It simply invokes the underlying tool (in this case, pass which uses gpg for encryption). The caching behaviour is managed by the GPG-agent, so for Summon to “acknowledge” the cache duration, you’ll need to ensure that the GPG-agent settings are correctly configured for caching.

Can you confirm the specific summon provider you’re using, it’s possible the issue might be with the provider ?

kqvanity · October 18, 2024, 7:37am

Can you confirm the specific summon provider

I’ve tried to use the default keyring provider, but I’m using passwordstore, so had to install and configure according to keyring_pass but it raised this error

  summon --provider ~/.local/lib/summon/keyring.py -f ~/secrets.yml ~/file.sh
Error fetching variable SOME_API_KEY: exit status 1: Error: python-keyring/summon/nested/password/store/dir/onlineservice.com is not in the password store.
/nested/password/store/dir/onlineservice.com  could not be retrieved

so after a bit of additional config, it kinda worked at times, and raised this error at others

  SUMMON_KEYRING_SERVICE="" summon --provider ~/.local/lib/summon/keyring.py -f ~/secrets.yml ~/file.sh
Error fetching variable SOME_API_KEY: exit status 1: gpg: public key decryption failed: Cannot allocate memory
gpg: decryption failed: Cannot allocate memory
Traceback (most recent call last):
  File "/home/keinvanity/.local/lib/summon/keyring.py", line 22, in <module>
    value = keyring.get_password(
            ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/keyring/core.py", line 56, in get_password
    return get_keyring().get_password(service_name, username)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/keyring_pass/__init__.py", line 183, in get_password
    ret = command(
          ^^^^^^^^
  File "/usr/lib/python3.12/site-packages/keyring_pass/__init__.py", line 26, in command
    return subprocess.check_output(cmd, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/subprocess.py", line 466, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['pass', 'show', '././nested/password/store/dir/onlineservice.com']' returned non-zero exit status 2.

As it raised those errors and needed multiple steps for configuration, I reverted back to gopass-summon-provider
but it still kept prompting me for the master password, or raising this error

Error fetching variable SOME_API_KEY: exit status 1: gpg: public key decryption failed: Cannot allocate memory
gpg: decryption failed: Cannot allocate memory
❌ Decryption failed: exit status 2

2024/10/18 10:36:36 failed to decrypt

kumbirai · October 22, 2024, 1:38pm

The memory issue is likely caused by too many background processes, like gpg-agent or summon, not terminating, which exhausts system resources. Check for hanging processes with ps aux | grep gpg-agent or ps aux | grep summon.

Can you provide details around your setup so I can reproduce, particularly useful is how you’re invoking summon and how many times.

Topic		Replies	Views
Securing OAuth Tokens using Summon Summon howto , summon	2	903	January 4, 2020
Question about using environment variables in Summon Summon summon , summon-conjur , pcf , conjur-buildpack , dap	2	918	December 3, 2019
Securely Using AWS CLI Credentials with Summon Summon opensource , howto , summon , cloud , aws	0	1441	April 9, 2020
Using summon with multiple providers Summon opensource , howto , summon	1	510	May 10, 2021
Using Summon for GitHub API access Summon github , howto , summon	3	1104	January 17, 2020

Summon with pass (password store) as a provider

I have two questions

Related topics