% gwsm 8

NAME

gwsm - interact with config map and secret manager variables

SYNOPSIS

gwsm

COMMAND TREE

sm, secretsmanager
- list
- describe
- get, view
- edit, e
- create, c
- put
- delete, del
env, e
s3
- get
install-manpage
version, v

Usage:

gwsm [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]

COMMANDS

sm, secretsmanager

Secrets Manager commands w/ interactive interface

--binary, -b: get the SecretBinary value

list

display table of all secrets with meta data

describe

print description of secret to STDOUT

--secret-id, -s="": Specific Secret to describe, will bypass select/search

get, view

select from list or pass in specific secret

--secret-id, -s="": Specific Secret to view, will bypass select/search

edit, e

interactive edit of a secret String Value

--secret-id, -s="": Specific Secret to edit, will bypass select/search

create, c

create new secret in Secrets Manager

--description, -d="": Additional description text.

--interactive, -i: Open interactive editor to create secret value. If no 'value' is provided, an editor will be opened by default.

--secret-id, -s="": Secret name

--tags, -t="": key=value tags (CSV list)

--value, -v="": Secret Value. Will store as a string, unless binary flag is set.

put

non-interactive update to a specific secret

Stores a new encrypted secret value in the specified secret. To do this, the 
operation creates a new version and attaches it to the secret. The version 
can contain a new SecretString value or a new SecretBinary value.

This will put the value to AWSCURRENT and retain one previous version 
with AWSPREVIOUS.

--interactive, -i: Override and open interactive editor to verify and modify the new secret value.

--secret-id, -s="": Secret name

--value, -v="": Secret Value. Will store as a string, unless binary flag is set.

delete, del

delete a specific secret

--force, -f: Bypass recovery window (30 days) and immediately delete Secret.

--secret-id, -s="": Specific Secret to delete

env, e

Commands to interact with environment variables, both local and on cluster.

diff, d

Print out detailed diff reports comparing local and running Pod

namespace, ns

View diff of local vs. namespace

View the diff of the local environment against a given command running on a
pod within a namespace.

This will retrieve the stored secrets within AWS Secrets Manager and map them
via the secrets.yml file used by the 'summon' CLI tool to generate the current
state of Environment Variables for a given stage.

The AWS Secrets Manager names are assumed to be stored as
'<SECRETS_GROUP>_NAME' in the ConfigMap.
Example: 'RDS_SECRET_NAME: rds/staging/service-yolo'

From the root of the service, the required files are typically found below:

The path to the configmap.yaml file is within the kubernetes deployment.
This is typically .kube/<stage>/05-configmap.yaml

The path to the secrets.yml is typically .docker/secrets.yaml

It will then grab current environment for a specific process running within a
Pod in a given Namespace.

This is achieved by inspecting the /proc/<PID>/environ for the given process.
This method uses '/bin/bash -c' as the base command to perform the PID
inspection via 'ps faux'.

The 'filter-prefix' flag will exclude any values that start with the flagged
prefixes from display.

The 'exclude' flag will exclude any values where the KEY matches exactly from
display.

--cmd="": Command to inspect (default: node)

--configmap, -c="": Path to configmap.yaml

--exclude="": List (csv) of specific env vars to exclude values from display. Set to "" to remove any exclusions. (default: PATH,SHLVL,HOSTNAME)

--filter-prefix, -f="": List of prefixes (csv) used to filter values from display. Set to "" to remove any filters. (default: npm_,KUBERNETES_,API_PORT)

--namespace, -n="": Kube Namespace to list Pods from for inspection

--secret-suffix="": Suffix used to find ENV variables that denote the Secret Manager Secrets to lookup (default: _NAME)

--secrets, -s="": Path to secrets.yml (default: .docker/secrets.yml)

ansible, legacy

View diff of local (ansible encrypted) vs. namespace

View the diff of the local ansible-vault encrypted Kubernetes Secret file
against a given dotenv file on a pod within a namespace.

The local file will use the contents of the 'data.<accessor flag>' block.
This defaults to 'data..env'.

Supported ansible-vault encryption version: $ANSIBLE_VAULT;1.1;AES256

Example file structure of decrypted file:

---
apiVersion: v1
kind: Secret
type: Opaque
data:
  .env: <BASE64 ENCODED STRING>

It will then grab contents of the dotenv file on a Pod in a given Namespace.

This defaults to inspecting the '$PWD/.env on' when executing a 'cat' command.
This method uses '/bin/bash -c' as the base command to perform inspection.

--accessor, -a="": Accessor key to pull data out of Data block. (default: .env)

--dotenv="": Path to .env file on Pod (default: $PWD/.env)

--encrypted-env-file, -e="": Path to encrypted Kube Secret file

--namespace, -n="": Kube Namespace list Pods from for inspection

--vault-password-file="": vault password file VAULT_PASSWORD_FILE

view, v

View configured environment for either local or running on a Pod

configmap, c

View env values based on local settings in a ConfigMap and secrets.yml

View the current environment variables for a given ConfigMap and summon
secrets.yml.

This will retrieve the stored secrets within AWS Secrets Manager and map them
via the secrets.yml file used by the 'summon' CLI tool to generate the current
state of Environment Variables for a given stage.

The AWS Secrets Manager names are assumed to be stored as
'<SECRETS_GROUP>_NAME' in the ConfigMap. 
Example: 'RDS_SECRET_NAME: rds/staging/service-yolo'

From the root of the service, the required files are typically found below:

The path to the configmap.yaml file is within the kubernetes deployment.
This is typically .kube/<stage>/05-configmap.yaml

The path to the secrets.yml is typically .docker/secrets.yaml

The 'filter-prefix' flag will exclude any values that start with the flagged 
prefixes from display.

--configmap, -c="": Path to configmap.yaml

--secret-suffix="": Suffix used to find ENV variables that denote the Secret Manager Secrets to lookup (default: _NAME)

--secrets, -s="": Path to secrets.yml (default: .docker/secrets.yml)

ansible, legacy

View env values from ansible-vault encrypted Secret file.

View a legacy ansible-vault encrypted Kubernetes Secret file. This will output
the contents of the 'data.<accessor flag>' block.
This defaults to 'data..env'.

Supported ansible-vault encryption version: $ANSIBLE_VAULT;1.1;AES256

Example file structure of decrypted file:

---
apiVersion: v1
kind: Secret
type: Opaque
data:
  .env: <BASE64 ENCODED STRING>

--accessor, -a="": Accessor key to pull data out of Data block. (default: .env)

--encrypted-env-file, -e="": Path to encrypted Kube Secret file

--vault-password-file="": vault password file VAULT_PASSWORD_FILE

namespace, ns

Interact with env on a running Pod within a Namespace

View the current environment for a specific process running within a Pod in a
given Namespace.

This is achieved by inspecting the /proc/<PID>/environ for the given process.
This method uses '/bin/bash -c' as the base command to perform the PID
inspection via 'ps faux'.

The 'filter-prefix' flag will exclude any values that start with the flagged
prefixes from display.

The 'exclude' flag will exclude any values where the KEY matches exactly from
display.

--cmd="": Command to inspect (default: node)

--exclude="": List (csv) of specific env vars to exclude values from display. Set to "" to remove any exclusions. (default: PATH,SHLVL,HOSTNAME)

--filter-prefix, -f="": List of prefixes (csv) used to filter values from display. Set to "" to remove any filters. (default: npm_,KUBERNETES_,API_PORT)

--namespace, -n="": Kube Namespace list Pods from

dump

Dump environment for either local or running on a Pod to screen or file

configmap, c

Dump env values based on local settings in a ConfigMap and secrets.yml

Dump the current environment variables for a given ConfigMap and summon
secrets.yml.

This will retrieve the stored secrets within AWS Secrets Manager and map them
via the secrets.yml file used by the 'summon' CLI tool to generate the current
state of Environment Variables for a given stage.

The AWS Secrets Manager names are assumed to be stored as
'<SECRETS_GROUP>_NAME' in the ConfigMap. 
Example: 'RDS_SECRET_NAME: rds/staging/service-yolo'

From the root of the service, the required files are typically found below:

The path to the configmap.yaml file is within the kubernetes deployment.
This is typically .kube/<stage>/05-configmap.yaml

The path to the secrets.yml is typically .docker/secrets.yaml

The 'filter-prefix' flag will exclude any values that start with the flagged 
prefixes from display.

--configmap, -c="": Path to configmap.yaml

--secret-suffix="": Suffix used to find ENV variables that denote the Secret Manager Secrets to lookup (default: _NAME)

--secrets, -s="": Path to secrets.yml (default: .docker/secrets.yml)

ansible, legacy

Dump env values from ansible-vault encrypted Secret file.

Dump a legacy ansible-vault encrypted Kubernetes Secret file. This will output
the contents of the 'data.<accessor flag>' block.
This defaults to 'data..env'.

Supported ansible-vault encryption version: $ANSIBLE_VAULT;1.1;AES256

Example file structure of decrypted file:

---
apiVersion: v1
kind: Secret
type: Opaque
data:
  .env: <BASE64 ENCODED STRING>

--encrypted-env-file, -e="": Path to encrypted Kube Secret file

--vault-password-file="": vault password file VAULT_PASSWORD_FILE

namespace, ns

Dump env on a running Pod within a Namespace

Dump the current environment for a specific process running within a Pod in a
given Namespace.

This is achieved by inspecting the /proc/<PID>/environ for the given process.
This method uses '/bin/bash -c' as the base command to perform the PID
inspection via 'ps faux'.

The 'filter-prefix' flag will exclude any values that start with the flagged
prefixes from display.

The 'exclude' flag will exclude any values where the KEY matches exactly from
display.

--cmd="": Command to inspect (default: node)

--exclude="": List (csv) of specific env vars to exclude values from display. Set to "" to remove any exclusions. (default: PATH,SHLVL,HOSTNAME)

--filter-prefix, -f="": List of prefixes (csv) used to filter values from display. Set to "" to remove any filters. (default: npm_,KUBERNETES_,API_PORT)

--namespace, -n="": Kube Namespace list Pods from

s3

simple S3 commands

get

[object path] [destination path]

The '[object path]' MUST always start with 's3://'
The '[destination path]' directory MUST exists, but file will be created or overwritten

Example:
$ gwsm s3 get s3://coll-bucket-name/with/path/filename /tmp/filename

install-manpage

Generate and install man page

NOTE: Windows is not supported

version, v

Print version info

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gwsm.md

gwsm.md

NAME

SYNOPSIS

COMMAND TREE

COMMANDS

sm, secretsmanager

list

describe

get, view

edit, e

create, c

put

delete, del

env, e

diff, d

namespace, ns

ansible, legacy

view, v

configmap, c

ansible, legacy

namespace, ns

dump

configmap, c

ansible, legacy

namespace, ns

s3

get

install-manpage

version, v

Files

gwsm.md

Latest commit

History

gwsm.md

File metadata and controls

NAME

SYNOPSIS

COMMAND TREE

COMMANDS

sm, secretsmanager

list

describe

get, view

edit, e

create, c

put

delete, del

env, e

diff, d

namespace, ns

ansible, legacy

view, v

configmap, c

ansible, legacy

namespace, ns

dump

configmap, c

ansible, legacy

namespace, ns

s3

get

install-manpage

version, v