Using the Confidant client¶
Installation¶
Make a virtualenv and install pip requirements:
virtualenv venv
source venv/bin/activate
pip install confidant-client
Configuration¶
The client will automatically look in ~/.confidant and /etc/confidant/config, in order for its configuration. The client does not merge the config. If ~/.confidant is found, it will use that and ignore the file in /etc. Config can be specified in either YAML or JSON format. The following configuration is supported, with the listed defaults:
default:
url: None
auth_key: None
auth_context: {}
token_lifetime: 10
token_version: 2
token_cache_file: '/run/confidant/confidant_token'
assume_role: None
region: None
retries: 0
backoff: 1
The configuration file supports profiles, which let you specify multiple environments in the same file. For instance:
default:
url: https://confidant-production.example.com
auth_key: authnz-production
auth_context:
from: rlane
to: confidant-production
user_type: user
token_cache_file: '/run/confidant/default_confidant_token'
region: us-east-1
staging:
url: https://confidant-staging.example.com
auth_key: authnz-staging
auth_context:
from: rlane
to: confidant-staging
user_type: user
token_cache_file: '/run/confidant/staging_confidant_token'
region: us-east-1
development:
url: https://confidant-development.example.com
auth_key: authnz-development
auth_context:
from: rlane
to: confidant-development
user_type: user
token_cache_file: '/run/confidant/staging_confidant_token'
region: us-east-1
Here’s an example for a client configuration for a service:
default:
url: https://confidant-production.example.com
auth_key: authnz-production
auth_context:
from: serviceA-production
to: confidant-production
user_type: service
token_cache_file: '/run/confidant/default_confidant_token'
region: us-east-1
Usage¶
The confidant client is a collection of subcommands. You can get a full listing of subcommands and client arguments via the help documentation:
confidant --help
You can also get help that’s specific to a particular subcommand:
confidant get_service --help
There’s both global arguments and subcommand specific arguments that can be set. For the most part all global arguments can be set in configuration, rather than being passed in. However, if you’d like to override particular configuration settings from the configuration file, you can override them directly on the CLI. Note that the arguments must be properly ordered: global arguments must be specific before subcommands and subcommand arguments must be specified after the subcommand.
Reformatting get_service output¶
The confidant client also comes with a reformatter for get_service output, to make the credential pairs easier to directly use. It’s a separate CLI command that can be chained together with the confidant client. For example:
confidant get_service --service serviceA-production | confidant-format --out-format env_export --out /run/confidant/env
By default the formatter’s input and output is stdin and stdout, but it’s possible for the formatter to read in from files and write out to files. For example:
confidant get_service --service serviceA-production > /run/confidant/raw
confidant-format --in /run/confidant/raw --out /run/confidant/env --out-format env_export