iagctl create secret
Create a new secret.
The iagctl create secret command stores sensitive information in the gateway. The gateway currently uses secrets for private repository SSH keys.
The gateway’s secrets manager uses asymmetric encryption and stores only the encrypted value in the database. You must use a unique encryption key file to encrypt and decrypt secrets. If you lose the encryption key file, you can’t recover any stored secrets.
For more information, see Create Gateway secret store.
The iagctl create secret command supports two storage modes:
- Local secrets — the value is encrypted at rest using a key file you control. Use this mode for SSH keys, PyPI/Ansible Galaxy credentials, and other values managed directly by Itential Gateway.
- External secret aliases — the value is never stored locally. Itential Gateway records a reference to a secret in an external provider and fetches the plaintext at execution time. Use
--provider,--secret, and optionally--keyto create an alias.
For more information, see External secrets overview.
Syntax
Set up secret encryption
Before you create local secrets, you need to generate an encryption key file and configure the gateway to use it.
Generate an encryption key file
Generate a robust, random encryption key. The following method is one option:
For improved security, restrict the file permissions:
Configure the gateway to use the encryption key file
You can provide the encryption key file location to the gateway in two ways:
-
Command line flag: Use the
--encryption-fileflag withiagctl create secretandiagctl describe secret. This approach works well for initial setup. -
Configuration variable: For permanent access, set the encryption key file location using the
GATEWAY_SECRETS_ENCRYPT_KEY_FILEenvironment variable or your gateway configuration file. The gateway needs permanent access to the encryption key file to run services that require stored secrets.
If the key file is lost, local secrets cannot be recovered.
Examples
Create a local secret with the encryption file flag
The following example creates a secret called my-secret and encrypts the literal text sensitive data using the file specified by --encryption-file:
Create a local secret with the encryption file configuration variable
The following example creates a secret called my-secret and encrypts the literal text sensitive data. This command assumes you’ve already set the GATEWAY_SECRETS_ENCRYPT_KEY_FILE configuration variable:
Create a local secret from a file
The following example creates a secret called git-key and encrypts the contents of the file /Users/gatewayuser/.ssh/gateway_git_rsa using the @ prefix syntax. This command assumes you’ve already set the GATEWAY_SECRETS_ENCRYPT_KEY_FILE configuration variable:
Create an external secret alias (Vault)
The following example creates an alias called iosxr-vault that retrieves the iosxrpass field from the inv_secrets secret in the vault-prod provider. The value is fetched from Vault at execution time — nothing is stored locally:
Create an external secret alias (Vault, full secret as JSON)
Omit --key to return the full secret data map as a JSON string at execution time:
Create an external secret alias (CyberArk)
For CyberArk providers, the --secret value is SafeName/ObjectName:
Create an external secret alias (CyberArk, with field extraction)
When the CyberArk object value is a JSON map, use --key to extract a specific field: