For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Open sourceSupportFAQsDocs Home
DocumentationCommand referenceRelease notes
DocumentationCommand referenceRelease notes
  • Command reference
    • iagctl cert-gen
    • iagctl completion
      • create decorator
      • create executable-object
      • create registry
      • create repository
      • create secret
      • create user
    • iagctl login
    • iagctl runner
    • iagctl server
    • iagctl version
LogoLogo
Open sourceSupportFAQsDocs Home
On this page
  • Syntax
  • Set up secret encryption
  • Generate an encryption key file
  • Configure the gateway to use the encryption key file
  • Examples
  • Create a secret with the encryption file flag
  • Create a secret with the encryption file configuration variable
  • Create a secret from a file
  • Options
  • Options inherited from parent commands
Command referenceiagctl create

iagctl create secret

Was this page helpful?
Previous

iagctl create service ansible-playbook

Next
Built with

Create a new secret.

The iagctl create secret command stores sensitive information in the gateway. The gateway currently uses secrets for private repository SSH keys.

The gateway’s secrets manager uses asymmetric encryption and stores only the encrypted value in the database. You must use a unique encryption key file to encrypt and decrypt secrets. If you lose the encryption key file, you can’t recover any stored secrets.

For more information, see Create IAG secret store.

Syntax

$iagctl create secret <secret-name> --value <string-or-file> [flags]

Set up secret encryption

Before you create secrets, you need to generate an encryption key file and configure the gateway to use it.

Generate an encryption key file

Generate a robust, random encryption key. The following method is one option:

$openssl rand -base64 256 > /Users/gatewayuser/.gateway.d/gateway_secret.key

For improved security, restrict the file permissions:

$chmod 400 /Users/gatewayuser/.gateway.d/gateway_secret.key

Configure the gateway to use the encryption key file

You can provide the encryption key file location to the gateway in two ways:

  • Command line flag: Use the --encryption-file flag with iagctl create secret and iagctl describe secret. This approach works well for initial setup.

  • Configuration variable: For permanent access, set the encryption key file location using the GATEWAY_SECRETS_ENCRYPT_KEY_FILE environment variable or your gateway configuration file. The gateway needs permanent access to the encryption key file to run services that require stored secrets.

1  [secrets]
2  encrypt_key_file = /Users/gatewayuser/.gateway.d/gateway_secret.key

Examples

Create a secret with the encryption file flag

The following example creates a secret called my-secret and encrypts the literal text sensitive data using the file specified by --encryption-file:

$iagctl create secret my-secret \
>--value "sensitive data" \
>--encryption-file /Users/gatewayuser/.gateway.d/gateway_secret.key

Create a secret with the encryption file configuration variable

The following example creates a secret called my-secret and encrypts the literal text sensitive data. This command assumes you’ve already set the GATEWAY_SECRETS_ENCRYPT_KEY_FILE configuration variable:

$iagctl create secret my-secret \
>--value "sensitive data"

Create a secret from a file

The following example creates a secret called git-key and encrypts the contents of the file /Users/gatewayuser/.ssh/gateway_git_rsa using the @ prefix syntax. This command assumes you’ve already set the GATEWAY_SECRETS_ENCRYPT_KEY_FILE configuration variable:

$iagctl create secret git-key \
>--value @/Users/gatewayuser/.ssh/gateway_git_rsa

Options

$  --description string       A brief description of the secret
$  --encryption-file string   The file to use for encrypting the secret. Clients and runners need this file for decryption.
$  -h, --help                 Help for secret
$  --tag stringArray          Metadata tags to associate with the secret
$  --value string             The secret value to encrypt. Prefix with '@' to read from a file.

Options inherited from parent commands

$  --profile string   Specify the client profile to use (case-insensitive, defaults to [client] section)
$  --config string   Path to the configuration file
$  --raw             Display the result of the command in raw format
$  --verbose         Enable verbose output