Plug-and-play entrypoint to pass secrets as environment variables to a process.
- How it works
- Using murmur locally
- Including murmur in a Docker image
- Secret providers
- Filters
- Troubleshooting
Murmur must run as your application's entrypoint. This means that instead of running this command to start your application:
/bin/run-my-appRun this instead:
murmur run -- /bin/run-my-appMurmur reads its environment variables, replaces references to secrets with the secrets' values, and passes the resulting variables to your application. Variables that are not references to secrets are passed as is. See Secret providers below for more details.
Environment variable values can also contain filters that transform the secret's value. See Filters below for more details.
Download the murmur binary for your OS and architecture on the
project's releases page and put
the binary in your PATH.
For convenience, the murmur binary is also released as a Docker image. In your application's Dockerfile, simply add the following line:
COPY --from=ghcr.io/busser/murmur:latest /murmur /bin/murmurAnd then change your image's entrypoint:
# from this:
ENTRYPOINT ["/bin/run-my-app"]
# to this:
ENTRYPOINT ["/bin/murmur", "run", "--", "/bin/run-my-app"]See examples/dockerfile for actual code.
Murmur supports fetching secrets from the following providers.
Murmur will fetch secrets from Scaleway Secret Manager for all environment
variables that start with scwsm:. What follows the prefix should reference a
secret.
Here are some examples:
scwsm:secret-saucereferences the latest value of the secret in the default region namedsecret-sauce.scwsm:fr-par/secret-saucereferences the latest value of the secret in thefr-parregion namedsecret-sauce.scwsm:fr-par/3f34b83f-47a6-4344-bcd4-b63721481cd3references the latest value of the secret in thefr-parregion ID'd by3f34b83f-47a6-4344-bcd4-b63721481cd3.scwsm:secret-sauce#123references version123of the secret in the default region namedsecret-sauce.scwsm:fr-par/secret-sauce#123references version123of the secret in thefr-parregion namedsecret-sauce.
The string that comes before # could be a name or an ID. If the string is a
UUID, then murmur assumes it is an ID. Otherwise, it assumes it is a name.
Murmur uses the environment's default credentials to authenticate to Scaleway.
You can configure murmur the same way you can configure the scw CLI.
Murmur will fetch secrets from Azure Key Vault for all environment variables
that start with azkv:. What follows the prefix should reference a secret.
Here are some examples:
azkv:example.vault.azure.net/secret-saucereferences the latest value of thesecret-saucesecret in theexampleKey Vault.azkv:example.vault.azure.net/secret-sauce#5ddc29704c1c4429a4c53605b7949100references a specific version of thesecret-saucesecret in theexampleKey Vault.
Murmur uses the environment's default credentials to authenticate to Azure. You can set these credentials with the environment variables listed here, or with workload identity.
Murmur will fetch secrets from AWS Secrets Manager for all environment
variables that start with awssm:. What follows the prefix should reference a
secret.
Here are some examples:
awssm:secret-saucereferences the current value of thesecret-saucesecret in the region and account defined by the environment.awssm:secret-sauce#9517cc59-646a-4393-81d7-5e6f2d43cbe7references a specific version of thesecret-saucesecret in the region and account defined by the environment.awssm:secret-sauce#my-labelreferences a specific staging label of thesecret-saucesecret in the region and account defined by the environment.awssm:arn:aws:secretsmanager:us-east-1:123456789012:secret:secret-sauce-abcdefreferences the secret with the specified ARN.awssm:arn:aws:secretsmanager:us-east-1:123456789012:secret:secret-sauce-abcdef#my-labelreferences a specific staging label of the secret with the specified ARN.
The string that comes after # could be a version ID or a version label. If the
string is a UUID, then murmur assumes it is a version ID. Otherwise, it assumes
it is a version label.
Murmur uses the environment's default credentials to authenticate to AWS.
Murmur will fetch secrets from Google Cloud Platform's Secret Manager for all
environment variables that start with gcpsm:. What follows the prefix should
reference a secret.
Here are some examples:
gcpsm:example/secret-saucereferences the latest value of thesecret-saucesecret in theexampleproject.gcpsm:example/secret-sauce#123references a specific version of thesecret-saucesecret in theexampleproject.
Murmur uses the environment's default credentials to authenticate to Google
Cloud. You can set these with the gcloud CLI, with environment variables,
with Google Cloud's environment service accounts, or with workload identity.
An alternative to murmur, specific to Google Cloud, is berglas.
Not yet supported.
You mat want to have a look at bank-vaults in the mean time.
The passthrough: prefix is special: it does not fetch secrets from anywhere.
Murmur uses the secret's reference as its value. In effect, this simply removes
the passthrough: prefix from any environment variables.
Murmur supports transforming secrets with the following filters.
Murmur embeds the Kubernetes JSONPath
library. You can use it to extract specific fields from a JSON-encoded secret.
For example, if you have a secret with a value of {"sauce": "szechuan"}, the
jsonpath filter can extract the sauce field's value:
awssm:secret-sauce|jsonpath:{.sauce}
Your application may use flags, like this:
murmur run /bin/run-my-app --port=3000Murmur then picks up the --port flag and returns an error:
Error: unknown flag: --port
Murmur ignores any flags that come after a special -- argument. So simply run
this command instead:
murmur run -- /bin/run-my-app --port=3000Any flags after the -- argument will still be passed to your application.