Command: inject

Secrets are often loaded into applications as fields in config files. For instance, many projects contain an example.config file like this:

database:
    host: localhost
    port: 5432
    username: "<INSERT_USERNAME_HERE>"
    password: "<INSERT_PASSWORD_HERE>"

To avoid manually editing these files to input the correct credentials for each environment, SecretHub allows you to write them as template files and inject secrets on the fly.

Template syntax recognizes paths to secrets placed between ${ and }. Templates accept any number of ${ <path> } segments where <path> is the path to a secret version, defaulting to the latest when no version is given.

When you convert the above example.config file to a template it looks something like this:

database:
    host: localhost
    port: 5432
    username: "${ john/repo/api-server/db-user:latest }"
    password: "${ john/repo/api-server/db-password:latest }"

Human instructions have been turned into machine-readable code. Also, did you notice how there are no secrets in the template file? The template can be safely checked into source control an shared with team members.

To inject a template with secrets, you can use the inject command:

secrethub inject [options] 

This reads template from stdin, gets all secrets contained in the template from SecretHub, injects them into the template and writes it to stdout.

For example, when you run the inject command on the template above it looks something like this:

$ cat example.config.tpl
database:
    host: localhost
    port: 5432
    username: "${ john/repo/api-server/db-user:latest }"
    password: "${ john/repo/api-server/db-password:latest }"
$ cat example.config.tpl | secrethub inject
database:
    host: localhost
    port: 5432
    username: "api-server1"
    password: "Lt2DMXglD93RMRbRu6vue0"

The convention is to name template files exactly the same as their injected counterparts, with an additional .tpl file extension. So a file example.config is generated by a template called example.config.tpl.

Depending on your use case, you may want to direct the output of the inject command. You can redirect the output to either a file with the --file flag or the clipboard with the --clip flag.

Flags

-c, --clip (string)
Write the service account configuration to the clipboard instead of stdout. The clipboard is automatically cleared after 45 seconds.
--file (string)
Write the service account configuration to a file instead of stdout.
--file-mode
Set filemode for the written file. Defaults to 0660 (read and write) and is ignored without the --file flag.

Support for variables and more expressive syntax is under construction and planned for Q3 2018.