A new tool was released which has all the functionality of the secrets manager.
This repository will not be maintained anymore.
➡️ Please use the STACKIT-CLI instead
This project provides the command line interface to the STACKIT Secrets-Manager.
The recommended way for installing the STACKIT Secrets-Manager CLI is to download prebuilt binaries.
Alternatively you can build it from source, if you have Go already installed:
$ go install github.com/stackitcloud/stackit-secrets-manager-cli/cmd/stackit-secrets-manager@latestCreate an access token for the STACKIT project you want to interact with. The token needs at least project.member permissions.
Now set the token with the configure subcommand:
$ stackit-secrets-manager configure
Authentication Token []: <your token>
Configuration successfully writtenAlternatively, you can set these settings as environment variables in cases where you might have a read-only file system:
$ export AUTHENTICATION_TOKEN=eyJraWQiO...zQXuLFGP3hMfw
$ export PROJECT_ID=54349a42-2fbc-4fed-b307-16673e3eaa1fTo create a new instance run:
$ stackit-secrets-manager create instance --name 'test'To get a list of all secrets manager instances run:
$ stackit-secrets-manager get instancesTo create an ACL for your instance to restict login IP ranges:
$ stackit-secrets-manager create acl --cidr 192.0.2.0/24 --instance-id 0069066b-b7d2-4e04-bda8-0f3f02efb920To get a list of all ACLs run:
$ stackit-secrets-manager get acls --instance-id 0069066b-b7d2-4e04-bda8-0f3f02efb920To replace a list of acls:
$ stackit-secrets-manager update acls --instance-id 0069066b-b7d2-4e04-bda8-0f3f02efb920 --acls="127.0.0.2/32,127.0.0.1/32,127.0.0.3/32"To create a user with write access for that instance:
$ stackit-secrets-manager create user --instance-id 0069066b-b7d2-4e04-bda8-0f3f02efb920 --enable-writeNote down the password which is printed there. This is the only place where you will ever see the password for the user.
To list all users for that instance:
$ stackit-secrets-manager get users --instance-id 0069066b-b7d2-4e04-bda8-0f3f02efb920For more information about the available sub-commands and flags use the --help command line flag.
Use the API URL and Secrets Engine name of the instance and the username and password of the user to configure the Hashicorp Vault client to interact with the secrets engine on the command line.
$ export VAULT_ADDR=https://prod.sm.eu01.stackit.cloud
$ vault login -method=userpass username=h86c6it5228nn9d9 password="A{o'61eJzD]|hUH4"
$ vault kv put 0069066b-b7d2-4e04-bda8-0f3f02efb920/foo bar=baz
$ vault kv get 0069066b-b7d2-4e04-bda8-0f3f02efb920/fooIf you like to prefer to use a web UI, select your Secrets Manager instance from the STACKIT portal. By selecting the Secrets tab, you can manage your secrets and contained key-value-pairs.
To delete a user for that instance:
$ stackit-secrets-manager delete user <userId> --instance-id 0069066b-b7d2-4e04-bda8-0f3f02efb920To delete a instance run:
$ stackit-secrets-manager delete instance 0069066b-b7d2-4e04-bda8-0f3f02efb920If you want to work with the source code of the Secrets-Manager CLI, you need to match these prerequisites:
- Go v1.19 or newer
- Have
makeandgitavailable on your system
To build the binary, simply run:
$ makeThis will download dependencies into the bin subdirectory, run some linting and build the stackit-secrets-manager
executable in the project root.
To update third party libraries:
$ go get -u
$ go mod tidyTo update the openapi spec for the Secrets-Manager API:
$ make update-openapi-specTo update third party binaries, check the shell scripts in the scripts subdirectory and update the versions
in there.
To build a new release, set the version environment variable to the desired version you want to release. Also provide your GitHub token as environment variable as well. Make sure that all your changes are committed and call the release make target:
$ export VERSION=0.0.1
$ export GITHUB_TOKEN=<your github token>
$ make releaseYou can also test out a release locally first, without publishing it to GitHub. The release is put into the dist
subdirectory:
$ make release-local