Teller: Cloud Native Secrets Management for Developers

Introduction

Teller is an open-source, cloud-native secret management tool that empowers developers to handle sensitive information directly from their command line. It acts as a universal interface for various secret providers, including Hashicorp Vault, AWS Secrets Manager, Google Secret Manager, and more. By centralizing secret access and management, Teller helps developers maintain clean, secure workflows without ever leaving their terminal. It's built in Rust, offering performance and reliability.

Installation

Getting started with Teller is straightforward. You can either download a pre-built binary or compile it from source.

Download a binary:

Pre-built binaries are available for various platforms.

Grab a binary from releases

Build from source:

For those who prefer to build from source, ensuring full transparency and control, follow these steps:

$ cd teller-cli
$ cargo install --path .

This command will install the Teller binary locally on your machine.

Examples

Teller offers a rich set of features to manage and interact with your secrets.

Create a new configuration:

Initialize a new .teller.yml file to define your secret providers and mappings.

$ teller new
? Select your secret providers ›
? hashicorp_consul
? aws_secretsmanager
? ssm
? dotenv
? hashicorp
? google_secretmanager

Running subprocesses with secrets:

Execute commands with secrets automatically injected as environment variables, avoiding manual exports or .env files.

$ teller run --reset --shell -- node index.js

Inspecting variables:

View the secrets Teller has picked up, with sensitive parts redacted for security.

$ teller show

Populating local shell:

Integrate Teller into your shell configuration, like .zshrc, to dynamically load secrets.

eval "$(teller sh)"

Easy Docker environment:

Streamline Docker container execution by injecting secrets directly, preventing them from appearing in shell history.

$ docker run --rm -it --env-file <(teller env) alpine sh

Scanning for secrets:

Identify hardcoded secrets and secret sprawl within your codebase. This can be integrated into CI/CD pipelines.

$ teller scan

To fail a build if secrets are found:

run: teller scan --error-if-found

Redacting secrets from outputs and files:

Cleanse logs, process outputs, or files by redacting sensitive information.

$ cat some.log | teller redact
$ tail -f /var/log/apache.log | teller redact
$ teller redact --in dirty.csv --out clean.csv

Populating templates:

Use secrets to populate custom templates, supporting the Tera templating engine.

$ teller template --in config-templ.t

Copying/syncing data between providers:

Synchronize secrets between different providers or mappings.

$ teller copy --from source/dev --to target/prod

Writing and multi-writing to providers:

Store new secrets or update existing ones in your configured providers.

$ teller put --providers new --map-id one NEW_VAR=s33kret

Deleting and multi-deleting from providers:

Remove secrets from your providers.

$ teller delete --providers new --map-id one DELETE_ME

Exporting secrets:

Export secrets in YAML or JSON format for integration with other tools or workflows.

$ teller export yaml
$ teller export json

Why Use Teller

Teller addresses common challenges in secret management for developers. It centralizes access to secrets from various providers, reducing the risk of hardcoded credentials and .env file proliferation. By providing a unified command-line interface, it simplifies workflows for development, testing, and deployment across different environments. Its scanning and redaction capabilities further enhance security by fighting secret sprawl and preventing sensitive data exposure in logs. Built in Rust, Teller offers a robust and efficient solution for modern cloud-native development.