README
¶
Rotator
Rotator is a tool for rotating credentials on a regular schedule. It works by reading a YAML configuration file with a list of secret. Each secret consists of a source from which rotator will read new credentials, and one or more destinations (from here on referred to as sinks) to write the new credentials to.
Currently, rotator supports the following sources...
- AWS IAM
... and sinks:
- Travis CI
- AWS Systems Manager Parameter Store
- AWS Secrets Manager
Table of contents
Installation
go get
If you have a functional go environment, you can install with:
$ go get github.com/chanzuckerberg/rotator
Homebrew
$ brew tap chanzuckerberg/tap
$ brew install rotator
Usage
Execute rotator with the rotate command, passing the --file/-f flag to specify the configuration file:
$ rotator rotate -f config.yaml
Below is an example of a configuration file config.yaml to rotate credentials for the AWS IAM user example-user and write them to the Travis CI repository example-repo:
version: 1
secrets:
- name: example_secret
source:
kind: aws
max_age: 1h40m0s
role_arn: arn:aws:iam::123456789101:role/admin
username: example-user
external_id: ""
sinks:
- kind: TravisCI
key_to_name:
accessKeyId: EXAMPLE_AWS_ACCESS_KEY_ID
secretAccessKey: EXAMPLE_AWS_SECRET_ACCESS_KEY
repo_slug: example-repo
Flags
-f, --file config file to read from
-y, --yes assume "yes" to all prompts and run non-interactively
Monitoring
Configure Sentry for rotator by setting the ENV, SENTRY_DSN environment variables.
Sources
All sources must have the following fields in addition to any source-specific fields:
| Name | Description |
|---|---|
| kind | The kind of source. Acceptable values: aws. |
| max_age | The max age for a credential before it will be rotated by rotator. The duration string should follow the same format as for time.ParseDuration() e.g. "2h45m". |
Env (env)
| Name | Description | Required |
|---|---|---|
| name | The name of the environment variable to read | yes |
AWS IAM (aws)
| Name | Description | Required |
|---|---|---|
| role_arn | The ARN of the AWS IAM role that rotator should assume. | yes |
| username | The name of the AWS IAM user for rotator to rotate their AWS access keys. | yes |
| external_id | If set, the external ID is passed to the AWS STS AssumeRole API to assume the IAM Role specified by role_arn e.g. if deploying rotator on EC2. |
no |
AWS credentials must be specified using a shared credentials file or AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
Sinks
All sinks must have the following fields in addition to any sink-specific fields:
| Name | Description |
|---|---|
| kind | The kind of sink. Acceptable values: TravisCI, AWSParameterStore, AWSSecretsManager. |
| key_to_name | A map of source keys to their sink names.* |
*Rotator parses the credentials from any source as key-value pairs. For example, the credentials for an AWS IAM source will consist of a
AWS_ACCESS_KEY_IDkey and aAWS_SECRET_ACCESS_KEYkey and their associated values. Thekey_to_namemapping then maps each key to the name of the credential in the sink that rotator should update the value of. This gives users more control over the rotation, and is also necessary as we might have multiple credentials from the source kind written to the same sink instance. For example, the same AWS Parameter Store sink might store AWS credentials from multiple AWS IAM users; thekey_to_namemapping allows us to specify the names of the parameters rotator should update the value of for each source so that we don't overwrite the parameters for another source.
Travis CI (TravisCI)
| Name | Description | Required |
|---|---|---|
| repo_slug | The target Travis CI repository slug. Same as {repository.owner.name}/{repository.name}. | yes |
TRAVIS_API_AUTH_TOKEN should be set.
Circle CI (CircleCI)
| Name | Description | Required |
|---|---|---|
| account | The CircleCI account to write this env var to. | yes |
| repo | The CircleCI repo to write this env var to. | yes |
CIRCLECI_AUTH_TOKEN must be set.
GitHub Actions Secret (GitHubActionsSecret)
| Name | Description | Required |
|---|---|---|
| owner | The GitHub repo owner to write this env var to. | yes |
| repo | The GitHub repo to write this env var to. | yes |
GITHUB_ACTIONS_AUTH_TOKEN must be set.
AWS Systems Manager Parameter Store (AWSParameterStore)
| Name | Description | Required |
|---|---|---|
| role_arn | The ARN of the AWS IAM role that rotator should assume. | yes |
| region | The [AWS Regional endpoint[(https://docs.aws.amazon.com/general/latest/gr/rande.html) | yes |
| external_id | If set, the external ID is passed to the AWS STS AssumeRole API to assume the IAM Role specified by role_arn e.g. if deploying rotator on Kubernetes. |
no |
AWS credentials must be specified using a shared credentials file or AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
AWS Secrets Manager (AWSSecretsManager)
| Name | Description | Required |
|---|---|---|
| role_arn | The ARN of the AWS IAM role that rotator should assume. | yes |
| region | The [AWS Regional endpoint[(https://docs.aws.amazon.com/general/latest/gr/rande.html) | yes |
| external_id | If set, the external ID is passed to the AWS STS AssumeRole API to assume the IAM Role specified by role_arn e.g. if deploying rotator on Kubernetes. |
no |
AWS credentials must be specified using a shared credentials file or AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
Contributing
Contributions and ideas are welcome! Please see our contributing guide and don't hesitate to open an issue or send a pull request to improve the functionality of this gem.
This project adheres to the Contributor Covenant code of conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to opensource@chanzuckerberg.com.
License
Documentation
¶
There is no documentation for this package.
Source Files
Directories