Keeps an eye on credentials (secrets, access keys, connection strings etc.), that are spread across numerous config files on your devbox(es). Gives you centralized access to them. Hides (masks) them whenever possible.
Now also omes with a simple UI for Azure Key Vault secrets.
Insert/add, stash/unstash, mask/unmask, resolve
To put a secret under KeeShepherd's control, you can either insert it via KeeShepherd:
, select an existing secret in the text editor and add it to KeeShepherd:
or register it as an environment variable:
Insert operation lets you pick up a secret from Azure Key Vault or directly from an Azure resource (Azure Storage, Azure Service Bus, Azure Cosmos DB etc.).
Add operation will suggest to put the selected value into Azure Key Vault.
Once a secret is added or inserted, KeeShepherd will remember its exact position and proceed with keeping track of it.
Three types of secrets are supported:
It's perfectly fine to mix both supervised and managed secrets in the same config file. A good strategy could be to mark real secrets (access keys, connection strings etc.) as managed (to keep them safe) and leave less important values like user names, application ids etc. as supervised (to make it easy to find them later).
KeeShepherd always tries its best to mask (hide) your secret values whenever possible, so that they never get accidentally exposed during a demo or a video call. You can always mask/unmask them yourself:
A good idea would be to set some keyboard shortcuts of your choice to these mask/unmask commands.
On a fresh new devbox you can also quickly restore all your secrets with
It will collect all
Use secrets as environment variables
To add a secret as an environment variable either use the
Once you have a list of environment variables configured, you can then:
Configure and use secret metadata storage
At first run KeeShepherd will ask you where to store secret's metadata:
Two options are currently supported:
You can always change the storage type later on with
IMPORTANT: KeeShepherd does not store your actual secret values, only links to them and cryptographically strong salted SHA256 hashes of them (plus secret lengths and positions in files). Yet still, even this information might be somewhat useful for a potential attacker, so please make sure that secret metadata never gets leaked.
You can see, navigate to and manage all your secrets via
View, create, remove and use Azure Key Vault secrets
Once signed in into Azure, a
, which shows all accessible secrets in all accessible Key Vaults in all visible subscriptions.
You can add and remove ("soft-delete") secrets, and for each secret you can get its value or insert it as Managed to the current text cursor position.
For most features to work you need to have Azure Account extension installed and be signed in into Azure.
You can configure whether KeeShepherd should automatically stash/unstash secrets in a workspace, when you open/close it:
Automatic stashing/unstashing is the most secure option: your actual secret values will only be present in your config files while you're actually working with a project (aka while a VsCode instance is running).