- 12 Nov 2024
-
DarkLight
-
PDF
create secret
- Updated on 12 Nov 2024
-
DarkLight
-
PDF
iagctl create secret
Create a new secret
Synopsis
This command allows for the storage of sensitive information within gateway. Currently, the only secrets that gateway utilizes are private repository ssh
keys.
The gateway secrets manager leverages asymmetrical encryption which only keeps the encrypted secret stored within the database. It is important to understand that a unique encryption file must be used to encrypt/decrypt any secrets. If the secrets encryption file is lost, there is no way to recover any stored secrets.
Generating an Encryption Key File
First, you will need to generate a robust, random encryption key. The method shown below is one such option.
>_ openssl rand -base64 256 > /Users/gatewayuser/.gateway.d/gateway_secret.key
For improved security, also run:
>_ chmod 400 /somedir/my_private.key
Point the Gateway to the Encryption Key File
Once the file is created, you can let gateway know of its location in two ways:
- Command Line
- Config Variables
Command Line
When initially setting up secrets within gateway using iagctl create secret
and iagctl describe secret
, use the --encryption-file
flag.
Configuration Variables
The --encryption-file
flag should only be used when first setting up secrets. The gateway
will need to permanently know of the encryption file to run services that require stored secrets. You can permanently set the configuration variable for encryption keys as you would for all other configuration options -- by setting an environment variable (GATEWAY_SECRETS_ENCRYPT_KEY_FILE
) or via your gateway configuration file.
[secrets]
encrypt_key_file = /Users/gatewayuser/.gateway.d/gateway_secret.key
iagctl create secret <secret-name> --value <string-or-file> [flags]
Examples
Create Secret via Encryption File Flag
Creates a secret called my-secret
that encrypts the literal text sensitive data
. Tells gateway to encrypt the secret using the file referenced by --encryption-file
.
>_ iagctl create secret my-secret \
--value "sensitive data" \
--encryption-file /Users/gatewayuser/.gateway.d/gateway_secret.key
Create Secret via Encryption File Configuration Var
Creates a secret called my-secret
that encrypts the literal text sensitive data
. This command assumes that you have previously set the configuration variable GATEWAY_SECRETS_ENCRYPT_KEY_FILE
.
>_ iagctl create secret my-secret \
--value "sensitive data"
Create Secret from A File via Encryption File Configuration Var
Creates a secret called git-key
that encrypts the file /Users/gatewayuser/.ssh/gateway_git_rsa
via the @
symbol syntax. This command assumes that you have previously set the configuration variable GATEWAY_SECRETS_ENCRYPT_KEY_FILE
.
>_ iagctl create secret git-key \
--value @/Users/gatewayuser/.ssh/gateway_git_rsa
Options
--description string A brief description of the service
--encryption-file string The file to use for the encryption of the secret. This secret will be stored in the gateway server encrypted and clients and runners will need the encryption file for decryption
-h, --help Help for secret
--tag stringArray Metadata tags to associate with the service
--value string The secret value that will be created
Options Inherited from Parent Commands
--config string Path to the configuration file
--raw Displays the result of the command in its raw format
--verbose Enable verbose output
CLI References
See related create
commands:
- create
- create decorator
- create repository
- create service
- create service ansible playbook
- create service opentofu plan
- create service python script
- create user
For all CLI commands see → Command References Index