Keeper Secrets Manager integration with Teller for dynamic secrets retrieval
Retrieve secrets from the Keeper Vault within Teller environments
Set secret credentials as environment variables in Teller
This page documents the Secrets Manager Teller integration. In order to utilize this integration, you will need:
Keeper Secrets Manager access (See the for more details)
Secrets Manager addon enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
Using Keeper Commander, add a new client to an application and initialize the configuration to a Base64 string. This will be the long text hash that appears after the "Initialized Config:" label.
That value needs to be assigned to an environment variable with the name KSM_CONFIG.
teller will pull variables from your Keeper Vault, and will populate your current working session so you can work safely and much more productively.
teller needs a tellerfile. This is a .teller.yml file that lives in your repo, or one that you point teller to with teller -c your-conf.yml.
Run teller new and follow the wizard, pick the providers you like and it will generate a .teller.yml for you.
Alternatively, you can use the following minimal template:
With a .teller.yml file in the current directory, or one that you point teller to with teller -c your-conf.ymlnow you can just run processes with:.
Add a teller step.
Full example below is using the default config file .teller.yml which can be replaced in the run command with a custom file that you point teller to with teller -c your-conf.yml.
See the Quick Start Guide for instructions on creating an Application
An initialized Keeper Secrets Manager Configuration
The Teller integration accepts Base64 format configurations
My Vault> sm client add --app MyApp --config-init b64
Successfully generated Client Device
====================================
Initialized Config: eyJob3N0bmFtZSI6ICJr....OUk1ZTV1V2toRucXRsaWxqUT0ifQ==
IP Lock: Enabled
Token Expires On: 2021-10-19 15:31:31
App Access Expires on: Neverproject: project_name
opts:
stage: development
providers:
# requires a configuration in: KSM_CONFIG=base64_config
# or file path KSM_CONFIG_FILE=ksm_config.json
keeper_secretsmanager:
# pull multiple key-value pairs from a single record
# all non-empty fields are mapped by their labels,
# if empty then by field type, and numeric suffix 1,2,...,N on duplicates
env_sync:
path: [recordUID]
# use Keeper Notation to select individual field values
# https://docs.keeper.io/secrets-manager/secrets-manage
env:
USER:
path: [recordUID]/field/login
PSWD:
path: [recordUID]/field/password$ teller run node src/server.js
Service is up.
Loaded configuration: Mailgun, SMTP
Port: 5050# set up teller step
- name: Setup Teller
uses: spectralops/setup-teller@v2
- name: Run a Teller task (show, scan, run, etc.)
run: teller run [args]name: run with teller
on:
push:
branches:
- master
- main
pull_request:
jobs:
build:
name: Build your code
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@master
# set up teller
- name: Setup Teller
uses: spectralops/setup-teller@v2
- name: Run a Teller task (show, scan, run, etc.)
run: teller run npm run build