Command referenceiagctl create

iagctl create secret

Create a new secret.

The iagctl create secret command stores sensitive information in the gateway. The gateway currently uses secrets for private repository SSH keys.

The gateway’s secrets manager uses asymmetric encryption and stores only the encrypted value in the database. You must use a unique encryption key file to encrypt and decrypt secrets. If you lose the encryption key file, you can’t recover any stored secrets.

For more information, see Create IAG secret store.

Syntax

$iagctl create secret <secret-name> --value <string-or-file> [flags]

Set up secret encryption

Before you create secrets, you need to generate an encryption key file and configure the gateway to use it.

Generate an encryption key file

Generate a robust, random encryption key. The following method is one option:

$openssl rand -base64 256 > /Users/gatewayuser/.gateway.d/gateway_secret.key

For improved security, restrict the file permissions:

$chmod 400 /Users/gatewayuser/.gateway.d/gateway_secret.key

Configure the gateway to use the encryption key file

You can provide the encryption key file location to the gateway in two ways:

  • Command line flag: Use the --encryption-file flag with iagctl create secret and iagctl describe secret. This approach works well for initial setup.

  • Configuration variable: For permanent access, set the encryption key file location using the GATEWAY_SECRETS_ENCRYPT_KEY_FILE environment variable or your gateway configuration file. The gateway needs permanent access to the encryption key file to run services that require stored secrets.

1  [secrets]
2  encrypt_key_file = /Users/gatewayuser/.gateway.d/gateway_secret.key

Examples

Create a secret with the encryption file flag

The following example creates a secret called my-secret and encrypts the literal text sensitive data using the file specified by --encryption-file:

$iagctl create secret my-secret \
>--value "sensitive data" \
>--encryption-file /Users/gatewayuser/.gateway.d/gateway_secret.key

Create a secret with the encryption file configuration variable

The following example creates a secret called my-secret and encrypts the literal text sensitive data. This command assumes you’ve already set the GATEWAY_SECRETS_ENCRYPT_KEY_FILE configuration variable:

$iagctl create secret my-secret \
>--value "sensitive data"

Create a secret from a file

The following example creates a secret called git-key and encrypts the contents of the file /Users/gatewayuser/.ssh/gateway_git_rsa using the @ prefix syntax. This command assumes you’ve already set the GATEWAY_SECRETS_ENCRYPT_KEY_FILE configuration variable:

$iagctl create secret git-key \
>--value @/Users/gatewayuser/.ssh/gateway_git_rsa

Options

$  --description string       A brief description of the secret
$  --encryption-file string   The file to use for encrypting the secret. Clients and runners need this file for decryption.
$  -h, --help                 Help for secret
$  --tag stringArray          Metadata tags to associate with the secret
$  --value string             The secret value to encrypt. Prefix with '@' to read from a file.

Options inherited from parent commands

$  --config string   Path to the configuration file
$  --raw             Display the result of the command in raw format
$  --verbose         Enable verbose output