Using summon with multiple providers

Summon
, ,
1

Here’s an astonishingly simple way to get summon fetching secrets using multiple providers. It’s called multi-provider, it’s a summon provider, in the form of a shell script, that allows summon to fetch secrets from multiple providers by delegating the secret fetching to the provider specified as a prefix on the secret id. The secret id will take the form actual_provider@actual_secret_id.

For example, If we have the following in the secrets.yml:

SECRET_1: cat@/some/file

Then run summon --provider ./multi-provider ..., multi-provider will run cat /some/file to get the value for SECRET_1.

Source code for multi-provider 

#!/usr/bin/env bash

# multi-provider is a summon provider that allows summon to 
# fetch secrets from multiple providers by delegating the secret
# fetching to the provider specified as a prefix on the secret id.
#
# For example, if we have the following in the secrets.yml:
# ```
# SECRET_1: cat@/some/file
# ```
#
# Then run `summon --provider ./multi-provider ...`, multi-provider will 
# run `cat /some/file` to get the value for `SECRET_1`.

provider=$(echo "$1" | sed 's/@.*$//')
secret_id=$(echo "$1" | sed 's/^[^@]*@//')

"${provider}" "${secret_id}"

For example, If we have the following in the secrets.yml:

SECRET_1: cat@/some/file

PATH resolution

Your actual provider will be executed in the context of multi-provider and not summon!

You’ll need to ensure that the paths you specify in the prefixes for the providers are resolvable through your system PATH, Otherwise you’ll get somehing like command not found:.

For example, a provider at /usr/local/lib/summon/summon-aws-secrets, can be specified as summon-aws-secrets and it can be resolved by summon (because summon adds /usr/local/lib/summon/summon-aws-secrets to the PATH) but this path is unlikely available in your system PATH outside of summon. To make this provider available in the context of multi-provider just add it to the path with PATH="$PATH:/usr/local/lib/summon" and you’re good to go by setting the secret prefix to summon-aws-secrets. Alternatively can set the prefix to the full path of the provider i.e. /usr/local/lib/summon/summon-aws-secrets, though that can be quite cumbersome.

4 Likes
2

Is there a way to set multi-provider as the default provider for Summon similar to if only one provider is installed on the machine?

Currently, I have only the Keyring provider installed and have a need to also install the Conjur provider. This will cause me to change all my current scripts and .zsh aliases to include the provider switch to determine which to use.

Rather than go through all that work migrating, I’d prefer less code changes by just setting multi-provider as a default.

1 Like