iagctl create secret-provider

Gateway 5.5+

Create a named secret provider configuration in Itential Gateway.

A secret provider stores the connection and authentication settings for an external secrets manager. Once created, you can reference a provider when creating secret aliases using iagctl create secret --provider <name>.

For more information, see External secrets overview.

Syntax

$iagctl create secret-provider <name> --type <provider-type> [flags]

Provider types

TypeDescription
vaultHashiCorp Vault KV Secrets Engine v2. Supports token authentication and AppRole authentication.
cyberarkCyberArk Central Credential Provider (CCP) with mutual TLS client certificate authentication.
pluginCustom subprocess-based provider. Use this type to connect to any secrets manager not covered by the bundled providers.

Examples

Create a Vault provider with AppRole authentication

$iagctl create secret-provider prod-vault \
> --type vault \
> --url https://vault.example.com:8200 \
> --auth-method approle \
> --role-id <role-id-uuid> \
> --secret-id-file /etc/gateway/secret_id \
> --secrets-endpoint itential/data

Create a Vault provider with token authentication

$iagctl create secret-provider dev-vault \
> --type vault \
> --url https://vault.dev.example.com:8200 \
> --auth-method token \
> --token /etc/gateway/vault_token \
> --secrets-endpoint itential/data

Create a CyberArk CCP provider

$iagctl create secret-provider cyberark-prod \
> --type cyberark \
> --url https://cyberark.company.com/AIMWebService \
> --app-id Itential-Gateway \
> --cert-file /etc/pki/cyberark/cert.pem \
> --key-file /etc/pki/cyberark/key.pem \
> --ca /etc/pki/cyberark/ca.pem

Create a plugin provider

$iagctl create secret-provider my-plugin \
> --type plugin \
> --command /opt/itential/plugins/secrets-plugin \
> --env VAULT_ADDR=https://vault.example.com:8200 \
> --env VAULT_SECRETS_ENDPOINT=itential/data \
> --env VAULT_TOKEN_FILE=/etc/gateway/vault_token

Options

$ --type string The provider type: vault, cyberark, or plugin (required)
$ -h, --help Help for secret-provider

Vault options

Never pass credentials as command-line values. Store tokens and key files on disk and reference them by file path.

$ --url string Vault server URL
$ --auth-method string Authentication method: token or approle
$ --token string Path to the Vault token file (token auth)
$ --role-id string AppRole role ID value (approle auth)
$ --secret-id string AppRole secret ID inline value (approle auth)
$ --secret-id-file string Path to the AppRole secret ID file (approle auth, preferred)
$ --secrets-endpoint string Mount path for the Vault KV v2 secrets engine (e.g. itential/data). This path is prepended automatically to the --secret value when creating a secret alias against this provider.

CyberArk options

$ --url string CyberArk CCP server URL, including the AIMWebService base path
$ --app-id string CyberArk application ID for this Gateway instance
$ --cert-file string Path to the client certificate file
$ --key-file string Path to the private key file
$ --ca string Path to the CA certificate file
$ --allow-invalid-certs Skip TLS certificate verification (development environments only)

Plugin options

$ --command string Path to the plugin executable on the gateway server
$ --env stringArray Non-sensitive configuration passed to the plugin at invocation time, in KEY=VALUE format; repeatable

Options inherited from parent commands

$ --profile string Specify the client profile to use (case-insensitive, defaults to [client] section)
$ --config string Path to the configuration file
$ --raw Display the result of the command in raw format
$ --verbose Enable verbose output