README
ΒΆ
π€« sstart: Secure Start for Cloud-Native Secrets
sstart is a minimalist, zero-persistence CLI tool that securely retrieves application secrets from multiple backend sources (Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) and injects them as environment variables into any wrapped process.
It is the spiritual successor to the Teller, modernized and rebuilt in Go for fast execution, reliability, and cross-platform simplicity.
π― The Problem sstart Solves
For local development, teams often choose between two bad options:
-
Static .env files: Highly insecure, prone to being committed to Git, and impossible to audit.
-
Custom scripts: Complex, unmaintainable shell scripts that only talk to one vault and are difficult to standardize across projects.
sstart eliminates both. You define all your required secrets from all your sources (e.g., database password from Vault, API key from AWS) in a single, declarative .sstart.yml file.
Features
- π Multiple Secret Providers: Support for AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret Manager, dotenv files, and more
- π Combine Secrets: Merge secrets from multiple providers
- π Subprocess Execution: Automatically inject secrets into subprocesses
- π Secure by Default: Secrets never appear in shell history or logs
- βοΈ YAML Configuration: Easy-to-use configuration file
Installation
go install github.com/dirathea/sstart/cmd/sstart@latest
Quick Start
- Create a
.sstart.ymlconfiguration file:
providers:
- kind: aws_secretsmanager
id: prod
secret_id: myapp/production
keys:
API_KEY: ==
DATABASE_URL: ==
- kind: dotenv
id: dev
path: .env.local
- Run a command with secrets injected:
sstart run -- node index.js
Commands
sstart run
Run a command with injected secrets:
sstart run -- node index.js
sstart run --providers aws-prod,dotenv-dev -- python app.py
Flags:
--providers: Comma-separated list of provider IDs to use (default: all providers)--config, -c: Path to configuration file (default:.sstart.yml)
sstart show
Show collected secrets (masked for security):
sstart show
sstart show --providers aws-prod,dotenv-dev
Flags:
--providers: Comma-separated list of provider IDs to use (default: all providers)
sstart env
Export secrets in environment variable format:
# Shell format
sstart env
# JSON format
sstart env --format json
# YAML format
sstart env --format yaml
# Docker usage
docker run --env-file <(sstart env) alpine sh
# Use specific providers
sstart env --providers aws-prod,dotenv-dev
Flags:
--format: Output format:shell(default),json, oryaml--providers: Comma-separated list of provider IDs to use (default: all providers)
sstart sh
Generate shell commands to export secrets:
eval "$(sstart sh)"
source <(sstart sh)
Flags:
--providers: Comma-separated list of provider IDs to use (default: all providers)
Configuration
See CONFIGURATION.md for complete configuration documentation, including:
- Configuration file structure
- All supported providers and their options
- Authentication methods
- Template variables
- Multiple provider setup
- Key mappings
Examples
Using with Node.js
sstart run -- node index.js
Using with Docker
docker run --rm -it --env-file <(sstart env) node:18-alpine sh
Security
- Secrets are never logged or displayed in full
- Use
inherit: falsein your config to ensure a clean environment (only secrets, no system env vars) - Secrets are injected directly into subprocess environment, never exposed to shell
- Configuration files should be added to
.gitignore
License
Apache-2.0
Directories