{"id":31621,"date":"2023-10-26T07:00:00","date_gmt":"2023-10-26T14:00:00","guid":{"rendered":"https:\/\/cloudinary.com\/blog\/?p=31621"},"modified":"2024-06-27T11:12:56","modified_gmt":"2024-06-27T18:12:56","slug":"protecting-cloudinary-credentials-enterprise","status":"publish","type":"post","link":"https:\/\/cloudinary.com\/blog\/protecting-cloudinary-credentials-enterprise","title":{"rendered":"Protecting Cloudinary Credentials in an Enterprise Setting"},"content":{"rendered":"\n

The Challenge<\/h2>\n\n\n\n

For IT and DevOps professionals, securing API credentials is crucial. While production systems often pull Cloudinary API credentials from secret managers, hands-on tasks like setup or maintenance present some challenges:<\/p>\n\n\n\n

    \n
  1. Importing credentials into the shell session.<\/strong> This leaves the API secret in the shell history.<\/li>\n\n\n\n
  2. Using a .env<\/code> file.<\/strong> This risks storing unencrypted credentials on the hard drive.<\/li>\n<\/ol>\n\n\n\n

    So, how can we handle API credentials securely during hands-on work?<\/p>\n\n\n\n

    In this article, we’ll directly pull credentials from the secrets manager into a shell session, minimizing exposure and aligning with cybersecurity best practices. Our sample code is designed for AWS Secrets Manager users with bash<\/code> or zsh<\/code> shells and the aws<\/code> CLI. However, this approach can be adapted for other platforms.<\/p>\n\n\n\n

    Let’s dive into a safer way to manage our API secrets during hands-on tasks.<\/p>\n\n\n\n

    The Solution<\/h2>\n\n\n\n

    In our solution, we’ll utilize a shell script designed to be sourced<\/em> into your active shell session.<\/p>\n\n\n\n

    The distinction of sourcing is essential. By sourcing, the script operates within the current shell environment, allowing direct modification and introduction of environment variables.<\/p>\n\n\n\n

    This method ensures Cloudinary API credentials are integrated into your session without leaving traces in shell history or persisting on the disk. It’s a technique that prioritizes both convenience and security, ensuring sensitive data remains transient and confined to the active session.<\/p>\n\n\n\n

    Storing the Secret<\/h3>\n\n\n\n

    We’ll store the environment variable definitions as new-line separated shell variable definitions with an AWS Secrets Manager.<\/p>\n\n\n

    Note:<\/strong>

    Don\u2019t use quotes around the variable values.<\/p>\n<\/div>\n\n

    ```bash\nCLOUDINARY_ENV_DISPLAY_NAME=SAMPLE ENVIRONMENT\nCLOUDINARY_URL=cloudinary:\/\/***************:**********************@sample-environment\n```<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n
    <\/div>\n\n\n
    Step 1: Store your credentials with AWS Secrets Manager.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Retrieving the Secret<\/h3>\n\n\n\n
    Once authenticated against the AWS account with sufficient permissions to retrieve the secret value, you’ll get this:<\/p>\n\n\n
    ```sh\n> aws secretsmanager get-secret-value \\\n    --secret-id \"cld-credentials\/sample-environment\"<\/span> \\\n    --region \"us-east-2\"<\/span> \\\n    --query SecretString \\\n    --output text\n\nCLOUDINARY_ENV_DISPLAY_NAME=SAMPLE ENVIRONMENT\nCLOUDINARY_URL=cloudinary:\/\/***************:**********************@sample-environment\n```#<\/span><\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n
    <\/div>\n\n\n
    Loading Credential Variables Into the Shell Session<\/h2>\n\n\n\n
    From here you’ll need to process the result line by line and export each variable definition:<\/p>\n\n\n
    # --------------------------------------------------------------------------<\/span>\n# Assumes input to be string in the format \"<VAR_NAME>=<VAR_VALUE>\"<\/span>\n# Exports the variable definition into the current shell session to make it<\/span>\n# available to any child process started from the shell.<\/span>\n# --------------------------------------------------------------------------<\/span>\nexport_variable_from_string<\/span><\/span>() {\n    local<\/span> str=\"$1<\/span>\"<\/span>\n    # Extract the variable name<\/span>\n    local<\/span> var_name=\"${str%%=*}<\/span>\"<\/span>             # Everything before the first '='<\/span>\n    # Extract the value<\/span>\n    local<\/span> var_value=\"${str#*${var_name}<\/span>=}\"<\/span>  # Everything after the first '='<\/span>\n\n    export<\/span> \"${var_name}<\/span>=${var_value}<\/span>\"<\/span>\n\n    if<\/span> [[ $? -ne 0 ]]\n    then<\/span>\n        echo<\/span> \"One of the variables failed to be imported.\"<\/span> >&2\n        echo<\/span> \"It is still recommended to terminate the shell session to dispose of other imported variables.\"<\/span> >&2\n        return<\/span> 1\n    fi<\/span>\n}\n\n# --------------------------------------------------------------------------<\/span>\n# Assumes input to be a multi-line string (secret value retrieved from<\/span>\n# secrets manager).<\/span>\n# Exports variable definition from each line into the shell session.<\/span>\n# --------------------------------------------------------------------------<\/span>\nload_secrets_from_string<\/span><\/span>() {\n    local<\/span> secret_text_value=\"$1<\/span>\"<\/span>\n    local<\/span> IFS=$'\\n'<\/span> #Read line-by-line<\/span>\n    while<\/span> IFS= read<\/span> -r var_definition; do<\/span>\n        export_variable_from_string \"$var_definition<\/span>\"<\/span>\n    done<\/span> <<< \"$secret_text_value<\/span>\"<\/span>\n}<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    Putting It All Together<\/h2>\n\n\n
    #!\/usr\/bin\/env sh\n<\/span>\n#<\/span>\n# \u2757\ufe0fmake sure to paste the above shell functions from the article<\/span>\n#<\/span>\n\nARG_SECRET_ID=\"$1<\/span>\"<\/span>\nARG_SECRET_REGION=\"$2<\/span>\"<\/span>\n\n# Ensure required parameters are set<\/span>\nif<\/span> [ -z \"${ARG_SECRET_ID}<\/span>\"<\/span> ] || [ -z \"${ARG_SECRET_REGION}<\/span>\"<\/span> ]; then<\/span>\n    echo<\/span> \"Error: Missing required parameters.\"<\/span>\n    return<\/span> 1\nfi<\/span>\n\n\n#<\/span>\n# MAIN<\/span>\n#<\/span>\n\nSECRET_VALUE=$( \\\n    aws secretsmanager get-secret-value \\\n    --secret-id \"${ARG_SECRET_ID}<\/span>\"<\/span> \\\n    --region \"${ARG_SECRET_REGION}<\/span>\"<\/span> \\\n    --query SecretString \\\n    --output text \\\n)\n\nload_secrets_from_string \"$SECRET_VALUE<\/span>\"<\/span><\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    How to Use It<\/h2>\n\n\n\n
    Let’s assume you’ve saved the script as a load-cred.sh<\/code> file. Then using it may look like this.<\/p>\n\n\n\n
    Using the load credentials script:<\/p>\n\n\n
    \n
    \"\"<\/figure><\/div>\n\n\n
    Implementation: Tips for Improvements<\/h2>\n\n\n\n
    If you plan to use this solution repeatedly with other team members, you may find the following improvement tips to be useful.<\/p>\n\n\n\n
    Informing Users of the Effect<\/h3>\n\n\n
    # --------------------------------------------------------------------------<\/span>\n# Uses values of previously set variables to update shell prompt (updates PS1<\/span>\n# environment variable)<\/span>\n# <\/span>\n# - Appends environment display name (value of the CLOUDINARY_ENV_DISPLAY_NAME variable)<\/span>\n#   + Green background for \"Sandbox\" environments ($CLOUDINARY_ENV_TYPE == 'sandbox')<\/span>\n#   + Red background otherwise (Production credentials assumed)<\/span>\n# - Appends \"Cloud with lightning\" emoji to the shell prompt<\/span>\n# --------------------------------------------------------------------------<\/span>\nupdate_shell_prompt<\/span><\/span>() {\n    local<\/span> cloud_name=\"$CLOUDINARY_ENV_DISPLAY_NAME<\/span>\"<\/span>\n    if<\/span> [ -z \"$cloud_name<\/span>\"<\/span> ]; then<\/span>\n        cloud_name=\"Cred. label not set\"<\/span>\n    fi<\/span>\n\n    local<\/span> fg_color='37'<\/span> # white<\/span>\n    local<\/span> bg_color='41'<\/span> # red<\/span>\n    if<\/span> [[ \"$CLOUDINARY_ENV_TYPE<\/span>\"<\/span> == *'sandbox'<\/span>* ]]\n    then<\/span>\n        bg_color='42'<\/span> # green<\/span>\n    fi<\/span>\n    local<\/span> color_seq=$'\\e['<\/span>\"${fg_color}<\/span>;${bg_color}<\/span>m\"<\/span>\n    local<\/span> color_reset_seq=$'\\e[0m'<\/span>\n    PS1=\"${PS1:-}<\/span> ${color_seq}<\/span>${cloud_name}<\/span>${color_reset_seq}<\/span> \ud83c\udf29\ufe0f  \"<\/span>\n    export<\/span> PS1\n}\n\n# --------------------------------------------------------------------------<\/span>\n# Informs script user of the changes made to the shell<\/span>\n# --------------------------------------------------------------------------<\/span>\ninform_user<\/span><\/span>() {\n    local<\/span> color_seq=$'\\e[30;43m'<\/span>\n    local<\/span> color_reset_seq=$'\\e[0m'<\/span>\n    echo<\/span> \"\"<\/span>\n    echo<\/span> \"\u2757\ufe0f${color_seq}<\/span>Important${color_reset_seq}<\/span> Credentials loaded from Secrets Manager.\"<\/span>$'\\n'<\/span> \\\n         \"Exit the shell when done to dispose of secrets in environment variables.\"<\/span>$'\\n'<\/span> \\\n         \"Child processes started from this shell will inherit environment variables.\"<\/span>\n    echo<\/span> \"\"<\/span>\n}<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    Removing Interim Variables<\/h3>\n\n\n
    # --------------------------------------------------------------------------<\/span>\n# Unsets (removes) interim variables from the shell session to avoid <\/span>\n# unnecessary copies of the secret info and secret value.<\/span>\n# Use before exiting the script<\/span>\n# --------------------------------------------------------------------------<\/span>\nunset_interim_variables<\/span><\/span>() {\n    unset<\/span> ARG_SECRET_ID\n    unset<\/span> ARG_SECRET_REGION\n    unset<\/span> SECRET_VALUE\n}<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    Enforcing the Script Sourcing<\/h3>\n\n\n
    # --------------------------------------------------------------------------<\/span>\n# Use at the beginning of the script to ensure the script is explicitly<\/span>\n# sourced by the user<\/span>\n# --------------------------------------------------------------------------<\/span>\ninform_must_be_sourced<\/span><\/span>() {\n    echo<\/span> \"The script must be sourced. Use 'source <script> --help' for more information.\"<\/span> >&2\n}\n\nif<\/span> [[ -n \"$BASH_VERSION<\/span>\"<\/span> ]]; then<\/span> \n    if<\/span> [[ \"$0<\/span>\"<\/span> == \"$BASH_SOURCE<\/span>\"<\/span> ]]; then<\/span>\n        # Evaluates to true when script is being directly executed in bash<\/span>\n        inform_must_be_sourced\n        exit<\/span> 1\n    fi<\/span>\nelif<\/span> [[ -n \"$ZSH_VERSION<\/span>\"<\/span> ]]; then<\/span>\n    if<\/span> [[ ! \"$ZSH_EVAL_CONTEXT<\/span>\"<\/span> == *\"toplevel:file\"<\/span>* ]]; then<\/span>\n        # Evaluates to true when script is being directly executed in zsh<\/span>\n        inform_must_be_sourced\n        exit<\/span> 1\n    fi<\/span>\nelse<\/span>\n    echo<\/span> \"Only bash and zsh shells are supported.\"<\/span>\n    exit<\/span> 1\nfi<\/span><\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    Preventing Repeated Import of Credentials<\/h3>\n\n\n
    inform_already_loaded<\/span><\/span>() {\n    echo<\/span> \"Credentials already loaded into this shell session. Exit the shell to dispose of them.\"<\/span> >&2\n}\n\nif<\/span> [ -n \"$__CLD_CREDS_LOADED<\/span>\"<\/span> ]; then<\/span>\n    inform_already_loaded\n    return<\/span> 1\nfi<\/span>\n\n# ... After credentials have been loaded into the session<\/span>\n__CLD_CREDS_LOADED=1\n# ...<\/span><\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    Adding Explicit CLI Arguments<\/h3>\n\n\n
    print_script_usage<\/span><\/span>() {\n    echo<\/span> \"Usage: source cld-cred-from-aws-secret.sh --secret-id <AWS_SECRET_ID> --region <AWS_REGION>\"<\/span>\n    echo<\/span> \"\"<\/span>\n    echo<\/span> \"Description: Retrieves credentials from AWS Secrets Manager and imports them as environment variables\"<\/span> \\\n         \"into the current shell session.\"<\/span>\n    echo<\/span> \"\"<\/span>\n    echo<\/span> \"Options:\"<\/span>\n    echo<\/span> \"  --secret-id    The ID of the AWS secret.\"<\/span>\n    echo<\/span> \"  --region       The AWS region to retrieve the secret from.\"<\/span>\n}\n\n## Print use when no arguments were provided<\/span>\nif<\/span> [ \"$#<\/span>\"<\/span> -eq 0 ]; then<\/span>\n    print_script_usage\n    return<\/span> 0\nfi<\/span>\n\n# Parse commandline arguments<\/span>\nARG_SECRET_ID=\"\"<\/span>\nARG_SECRET_REGION=\"\"<\/span>\n\nwhile<\/span> [ \"$#<\/span>\"<\/span> -gt 0 ]; do<\/span>\n    case<\/span> \"$1<\/span>\"<\/span> in<\/span>\n        --secret-id)\n            ARG_SECRET_ID=\"$2<\/span>\"<\/span>\n            shift<\/span> 2\n            ;;\n        --region)\n            ARG_SECRET_REGION=\"$2<\/span>\"<\/span>\n            shift<\/span> 2\n            ;;\n        --help<\/span>)\n            print_script_usage\n            return<\/span> 0\n            ;;\n        *)\n            echo<\/span> \"Unknown option: $1<\/span>\"<\/span> >&2\n            return<\/span> 1\n            ;;\n    esac<\/span>\ndone<\/span>\n\n# Check if required parameters are set<\/span>\nif<\/span> [ -z \"$ARG_SECRET_ID<\/span>\"<\/span> ] || [ -z \"$ARG_SECRET_REGION<\/span>\"<\/span> ]; then<\/span>\n    echo<\/span> \"Error: Missing required parameters.\"<\/span>\n    print_script_usage\n    return<\/span> 1\nfi<\/span><\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    Miscellaneous<\/h3>\n\n\n\n