Using the Confidant client

Installation

Make a virtualenv and install pip requirements:

virtualenv venv
source venv/bin/activate
pip install confidant-client

Configuration

The client will automatically look in ~/.confidant and /etc/confidant/config, in order for its configuration. The client does not merge the config. If ~/.confidant is found, it will use that and ignore the file in /etc. Config can be specified in either YAML or JSON format. The following configuration is supported, with the listed defaults:

default:
  url: None
  auth_key: None
  auth_context: {}
  token_lifetime: 10
  token_version: 2
  token_cache_file: '/run/confidant/confidant_token'
  assume_role: None
  region: None
  retries: 0
  backoff: 1

The configuration file supports profiles, which let you specify multiple environments in the same file. For instance:

default:
  url: https://confidant-production.example.com
  auth_key: authnz-production
  auth_context:
    from: rlane
    to: confidant-production
    user_type: user
  token_cache_file: '/run/confidant/default_confidant_token'
  region: us-east-1
staging:
  url: https://confidant-staging.example.com
  auth_key: authnz-staging
  auth_context:
    from: rlane
    to: confidant-staging
    user_type: user
  token_cache_file: '/run/confidant/staging_confidant_token'
  region: us-east-1
development:
  url: https://confidant-development.example.com
  auth_key: authnz-development
  auth_context:
    from: rlane
    to: confidant-development
    user_type: user
  token_cache_file: '/run/confidant/staging_confidant_token'
  region: us-east-1

Here’s an example for a client configuration for a service:

default:
  url: https://confidant-production.example.com
  auth_key: authnz-production
  auth_context:
    from: serviceA-production
    to: confidant-production
    user_type: service
  token_cache_file: '/run/confidant/default_confidant_token'
  region: us-east-1

Usage

The confidant client is a collection of subcommands. You can get a full listing of subcommands and client arguments via the help documentation:

confidant --help

You can also get help that’s specific to a particular subcommand:

confidant get_service --help

There’s both global arguments and subcommand specific arguments that can be set. For the most part all global arguments can be set in configuration, rather than being passed in. However, if you’d like to override particular configuration settings from the configuration file, you can override them directly on the CLI. Note that the arguments must be properly ordered: global arguments must be specific before subcommands and subcommand arguments must be specified after the subcommand.

Reformatting get_service output

The confidant client also comes with a reformatter for get_service output, to make the credential pairs easier to directly use. It’s a separate CLI command that can be chained together with the confidant client. For example:

confidant get_service --service serviceA-production | confidant-format --out-format env_export --out /run/confidant/env

By default the formatter’s input and output is stdin and stdout, but it’s possible for the formatter to read in from files and write out to files. For example:

confidant get_service --service serviceA-production > /run/confidant/raw
confidant-format --in /run/confidant/raw --out /run/confidant/env --out-format env_export