Re: Secrets in org-babel

2022-09-06 Thread Ihor Radchenko 
Felix Dorner  writes:

> New org user, fascinated by org-babel, but stumbled over something I have
> no good solution for: I have mostly shell blocks, and very often have to
> retrieve secrets from aws secretsmanager before I can do anything useful,
> e.g. query a database in several places. What I've been doing is to put the
> secret retrieval into a named block and can then inject the secret into
> other blocks with a parameter that calls that block. But then, the secret
> value is also echoed to the messages buffer, which I'd like to avoid? I'd
> also like to avoid repeating the secrets-retrieval code all over the place.
> Thanks for any tips.

:results none or :results silent will not echo the output.
Also, you may find https://www.kpassa.me/posts/literate2/ useful.
Finally, you may put your named secret block inside encrypted heading
via org-crypt (https://orgmode.org/manual/Org-Crypt.html#Org-Crypt).

-- 
Ihor Radchenko,
Org mode contributor,
Learn more about Org mode at https://orgmode.org/.
Support Org development at https://liberapay.com/org-mode,
or support my work at https://liberapay.com/yantar92

Re: Secrets in org-babel

2022-09-05 Thread Greg Minshall 
Felix,

my setup is probably too complicated.  and, i don't really know what
"aws secretsmanager" is, or how you interact with it.  but, in case this
helps...

i put ("long-term") secrets in pass

https://www.passwordstore.org/


for "programmatic access" (in particular, for passwords needed by e-mail
sending and retrieving programs), avoiding having to enter my password
every ten minutes (or so), i wrote something called credeface/credepass

https://gitlab.com/minshall/credeface

which uses git's (!) credential cache for this service

https://git-scm.com/docs/git-credential


in your case, you might just use `credeface` to first store, then later
retrieve, whatever secrets you get from "aws secretsmanager".
occasionally (`--timeout`), you should be asked by `credeface` to
refresh that value.


bash archlinux (master): {1315} credeface --username ipsilon --host example.com 
store
this is that
bash archlinux (master): {1316} credeface --username ipsilon --host example.com 
get
cannot display secrets on the terminal
bash archlinux (master): {1317} credeface --username ipsilon --host example.com 
get | cat
this is that


cheers, Greg

Secrets in org-babel

2022-09-05 Thread Felix Dorner 
New org user, fascinated by org-babel, but stumbled over something I have
no good solution for: I have mostly shell blocks, and very often have to
retrieve secrets from aws secretsmanager before I can do anything useful,
e.g. query a database in several places. What I've been doing is to put the
secret retrieval into a named block and can then inject the secret into
other blocks with a parameter that calls that block. But then, the secret
value is also echoed to the messages buffer, which I'd like to avoid? I'd
also like to avoid repeating the secrets-retrieval code all over the place.
Thanks for any tips.

Felix



-- 
Linux. The choice of a GNU generation.