create secret

iagctl create secret

Create a new secret

Synopsis

This command allows for the storage of sensitive information within gateway. Currently, the only secrets that gateway utilizes are private repository ssh keys.

The gateway secrets manager leverages asymmetrical encryption which only keeps the encrypted secret stored within the database. It is important to understand that a unique encryption file must be used to encrypt/decrypt any secrets. If the secrets encryption file is lost, there is no way to recover any stored secrets.

Generating an Encryption Key File

First, you will need to generate a robust, random encryption key. The method shown below is one such option.

>_ openssl rand -base64 256 > /Users/gatewayuser/.gateway.d/gateway_secret.key

For improved security, also run:

>_ chmod 400 /somedir/my_private.key

Point the Gateway to the Encryption Key File

Once the file is created, you can let gateway know of its location in two ways:

• Command Line
• Config Variables

Command Line

When initially setting up secrets within gateway using iagctl create secret and iagctl describe secret, use the --encryption-file flag.

Configuration Variables

The --encryption-file flag should only be used when first setting up secrets. The gateway will need to permanently know of the encryption file to run services that require stored secrets. You can permanently set the configuration variable for encryption keys as you would for all other configuration options -- by setting an environment variable (GATEWAY_SECRETS_ENCRYPT_KEY_FILE) or via your gateway configuration file.

[secrets]
encrypt_key_file = /Users/gatewayuser/.gateway.d/gateway_secret.key

iagctl create secret <secret-name> --value <string-or-file> [flags]

Examples

Create Secret via Encryption File Flag

Creates a secret called my-secret that encrypts the literal text sensitive data. Tells gateway to encrypt the secret using the file referenced by --encryption-file.

>_ iagctl create secret my-secret \
--value "sensitive data" \
--encryption-file /Users/gatewayuser/.gateway.d/gateway_secret.key

Create Secret via Encryption File Configuration Var

Creates a secret called my-secret that encrypts the literal text sensitive data. This command assumes that you have previously set the configuration variable GATEWAY_SECRETS_ENCRYPT_KEY_FILE.

>_ iagctl create secret my-secret \
--value "sensitive data"

Create Secret from A File via Encryption File Configuration Var

Creates a secret called git-key that encrypts the file /Users/gatewayuser/.ssh/gateway_git_rsa via the @ symbol syntax. This command assumes that you have previously set the configuration variable GATEWAY_SECRETS_ENCRYPT_KEY_FILE.

>_ iagctl create secret git-key \
--value @/Users/gatewayuser/.ssh/gateway_git_rsa

Options

--description string       A brief description of the service
--encryption-file string   The file to use for the encryption of the secret. This secret will be stored in the gateway server encrypted and clients and runners will need the encryption file for decryption
-h, --help                 Help for secret
--tag stringArray          Metadata tags to associate with the service
--value string             The secret value that will be created

Options Inherited from Parent Commands

  --config string   Path to the configuration file
  --raw             Displays the result of the command in its raw format
  --verbose         Enable verbose output

CLI References

See related create commands:

• create
• create decorator
• create repository
• create service
• create service ansible playbook
• create service opentofu plan
• create service python script
• create user

For all CLI commands see → Command References Index