name: fnox-providers description: 用于配置Fnox提供者进行加密和秘密存储。涵盖年龄加密、云提供者(AWS、Azure、GCP)和密码管理器。 allowed-tools:
- Read
- Write
- Edit
- Bash
- Grep
- Glob
Fnox - 提供者
在Fnox中配置加密和秘密存储提供者以实现安全的秘密管理。
提供者类型
Fnox支持三类提供者:
- 加密 - 本地加密(age、AWS KMS、Azure、GCP)
- 云存储 - 远程秘密存储(AWS Secrets Manager、Azure Key Vault、GCP Secret Manager、Vault)
- 密码管理器 - 与密码管理器集成(1Password、Bitwarden、Infisical、pass)
年龄加密(推荐)
设置年龄提供者
# 生成年龄密钥对
age-keygen -o ~/.config/fnox/keys/identity.txt
# 获取公钥
cat ~/.config/fnox/keys/identity.txt | grep "public key"
# age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
在fnox.toml中配置年龄
# fnox.toml(提交)
[providers.age]
type = "age"
public_keys = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]
# fnox.local.toml(git忽略)
[providers.age]
identity = "~/.config/fnox/keys/identity.txt"
使用年龄存储秘密
# 设置加密秘密
fnox set DATABASE_PASSWORD
# 提示输入值,使用年龄公钥加密
# 从命令设置
echo "secret-value" | fnox set API_KEY --provider age
团队设置使用年龄
# 为团队访问设置多个接收者
[providers.age]
type = "age"
public_keys = [
"age1ql3z...", # Alice
"age1qw4r...", # Bob
"age1qx5t...", # CI/CD
]
AWS Secrets Manager
配置AWS Secrets Manager
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# 可选:profile = "production"
在AWS中存储秘密
# 引用AWS秘密
fnox set DATABASE_URL --provider aws-sm
# 输入:prod/database-url(AWS秘密名称)
AWS Secrets Manager配置
[secrets]
DATABASE_URL = {
provider = "aws-sm",
value = "prod/database-url",
description = "生产数据库连接字符串"
}
API_KEY = {
provider = "aws-sm",
value = "prod/api-key"
}
AWS KMS加密
配置AWS KMS
[providers.kms]
type = "aws-kms"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
region = "us-east-1"
使用AWS KMS
# 使用KMS加密
fnox set SECRET_KEY --provider kms
Azure Key Vault
配置Azure
[providers.azure]
type = "azure-kv"
vault_url = "https://my-vault.vault.azure.net"
# 通过Azure CLI或环境变量认证
Azure秘密
[secrets]
DATABASE_PASSWORD = {
provider = "azure",
value = "database-password",
description = "Azure Key Vault秘密名称"
}
GCP Secret Manager
配置GCP
[providers.gcp]
type = "gcp-sm"
project_id = "my-project"
# 通过gcloud或服务账户认证
GCP秘密
[secrets]
API_KEY = {
provider = "gcp",
value = "projects/my-project/secrets/api-key/versions/latest"
}
HashiCorp Vault
配置Vault
[providers.vault]
type = "vault"
address = "https://vault.example.com"
token = { env = "VAULT_TOKEN" } # 从环境变量获取
Vault秘密
[secrets]
DATABASE_URL = {
provider = "vault",
value = "secret/data/prod/database-url"
}
1Password
配置1Password
[providers.onepassword]
type = "1password"
# 需要安装1Password CLI(op)
1Password引用
[secrets]
API_KEY = {
provider = "onepassword",
value = "op://Production/API Keys/api-key"
}
DATABASE_PASSWORD = {
provider = "onepassword",
value = "op://Production/Database/password"
}
Bitwarden
配置Bitwarden
[providers.bitwarden]
type = "bitwarden"
# 需要安装Bitwarden CLI(bw)并解锁
Bitwarden秘密
[secrets]
STRIPE_KEY = {
provider = "bitwarden",
value = "item-id/field-name"
}
提供者测试
测试提供者配置
# 测试特定提供者
fnox provider test age
fnox provider test aws-sm
# 列出配置的提供者
fnox provider list
# 交互式添加提供者
fnox provider add
# 移除提供者
fnox provider remove age
最佳实践
选择合适的提供者
# 开发:年龄(简单,本地加密)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# 生产:云秘密管理器
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# 团队协作:1Password或Bitwarden
[providers.onepassword]
type = "1password"
使用多个提供者
# 不同秘密使用不同提供者
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
[secrets]
# 开发秘密使用年龄
DEV_API_KEY = { provider = "age", value = "age[...]" }
# 生产秘密使用AWS
PROD_DATABASE_URL = { provider = "aws-sm", value = "prod/db-url" }
提供者别名
# 为提供者命名描述性名称
[providers.prod-secrets]
type = "aws-sm"
region = "us-east-1"
[providers.staging-secrets]
type = "aws-sm"
region = "us-west-2"
[secrets]
DATABASE_URL = { provider = "prod-secrets", value = "prod/db" }
常见模式
从开发到生产迁移
# fnox.toml(开发)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
[secrets]
DATABASE_URL = { provider = "age", value = "age[...]" }
# fnox.production.toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
[secrets]
DATABASE_URL = { provider = "aws-sm", value = "prod/database-url" }
多区域设置
[providers.us-secrets]
type = "aws-sm"
region = "us-east-1"
[providers.eu-secrets]
type = "aws-sm"
region = "eu-west-1"
[secrets]
US_API_ENDPOINT = { provider = "us-secrets", value = "us/api-endpoint" }
EU_API_ENDPOINT = { provider = "eu-secrets", value = "eu/api-endpoint" }
混合方法
# 开发秘密:年龄加密
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# 共享团队秘密:1Password
[providers.team]
type = "1password"
# 生产秘密:AWS
[providers.prod]
type = "aws-sm"
region = "us-east-1"
[secrets]
DEV_DATABASE_URL = { provider = "age", value = "age[...]" }
TEAM_SLACK_WEBHOOK = { provider = "team", value = "op://Team/Slack/webhook" }
PROD_DATABASE_URL = { provider = "prod", value = "prod/db-url" }
反模式
不要硬编码凭证
# 错误:硬编码凭证
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
access_key_id = "AKIAIOSFODNN7EXAMPLE" # 永远不要这样做
secret_access_key = "wJalrXUtnFEMI/..." # 永远不要这样做
# 正确:使用AWS凭证链
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# 从~/.aws/credentials或环境变量获取凭证
不要不必要地混合提供者类型
# 错误:简单项目使用太多提供者
[providers.age]
type = "age"
[providers.aws-sm]
type = "aws-sm"
[providers.azure]
type = "azure-kv"
[providers.gcp]
type = "gcp-sm"
# 正确:选择一个合适的提供者
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
不要共享私钥
# 错误:配置中包含私钥
[providers.age]
identity = "AGE-SECRET-KEY-..." # 永远不要提交这个
# 正确:引用外部文件
[providers.age]
identity = "~/.config/fnox/keys/identity.txt" # Git忽略
提供者特定功能
年龄:多个接收者
[providers.age]
type = "age"
public_keys = [
"age1ql3z...", # 团队成员1
"age1qw4r...", # 团队成员2
"age1qx5t...", # CI/CD系统
]
AWS:跨账户访问
[providers.shared-secrets]
type = "aws-sm"
region = "us-east-1"
role_arn = "arn:aws:iam::123456789012:role/CrossAccountSecretsRole"
Vault:命名空间支持
[providers.vault-prod]
type = "vault"
address = "https://vault.example.com"
namespace = "production"
token = { env = "VAULT_TOKEN" }
相关技能
- 配置:管理fnox.toml结构和秘密
- 安全最佳实践:提供者的安全指南