Secrets Management via CLI
This section provides Secrets Management configuration steps and usage information for the StrongDM CLI. Administrators can use the StrongDM CLI to add, update, read, delete, and otherwise manage secret engines and managed secrets.
If you wish to use the Admin UI instead of the CLI, please see the Admin UI section of this guide.
Secret Engine CLI Commands
Manage secret engines in the CLI with sdm admin secretengines and its subcommands:
sdm admin secretengines createCreates a new secret enginesdm admin secretengines list: Lists all secret engines in your organizationsdm admin secretengines show: Shows details about a secret enginesdm admin secretengines list-available-stores: Lists the secret stores that can be used with the secret engines in your organizationsdm admin secretengines healthcheck: Checks the health of secret engines on all nodessdm admin secretengines rotate: Rotates a secret engine's credentialssdm admin secretengines update: Updates the secret enginesdm admin secretengines delete: Deletes a secret engine
sdm admin secretengines create
The sdm admin secretengines create command is used to add a new secret engine to your organization. You can create an AD (active_directory) secret engine or Key Value (key_value) secret engine.
To create an AD secret engine, run the sdm admin secretengines create active_directory command with all required options set, as in the following example.
sdm admin secretengines create active_directory
--binddn "cn=admin,dc=example,dc=com"
--bindpass="Example"
--secret-store-id se-1234a12345bcd123
--name exampleAD
--url ldaps://<HOSTNAME>:<PORT>
--secret-store-root-path="/secret/data/ad"For the --secret-store-id option, the value should be the ID of an existing secret store. For --url, the URL should be in the format <HOSTNAME>:<PORT>, prepended by either ldap:// for an unencrypted connection or ldaps:// for a TLS encrypted connection.
To create a Key Value secret engine, run sdm admin secretengines create key_value with all required options set, as in the following example.
After secret engine creation, configure the node (gateway or relay) to be used to contact the secret store or Active Directory. To do this, run the following command to update the relevant node and set a tag in the form of eng__<SECRET_ENGINE_NAME>=true:
Example:
This tag should be added to all nodes that have been configured to access both the secret store and the external secrets system.
See the CLI Reference for a copy of the help text available for sdm admin secretengines create.
sdm admin secretengines list
Use the following command to list all existing secret engines in your organization.
If any secret engines are already created, the returned output looks similar to the following.
See the CLI Reference for a copy of the help text available for sdm admin secretengines list.
sdm admin secretengines show
Use sdm admin secretengines show to show details about a specific secret engine. You must specify the secret engine ID, as in the following example.
See the CLI Reference for a copy of the help text available for sdm admin secretengines show.
sdm admin secretengines list-available-stores
Use sdm admin secretengines list-available-stores to list the secret stores that can be used with the secret engines in your organization.
Example:
See the CLI Reference for a copy of the help text available for sdm admin secretengines list-available-stores.
sdm admin secretengines healthcheck
Use sdm admin secretengines healthcheck <SECRET_ENGINE_ID> to check the health of a secret engine on nodes.
Example:
See the CLI Reference for a copy of the help text available for sdm admin secretengines healthcheck.
sdm admin secretengines rotate
Use sdm admin secretengines rotate <SECRET_ENGINE_ID> to rotate a secret engine's secrets.
Example:
See the CLI Reference for a copy of the help text available for sdm admin secretengines rotate.
sdm admin secretengines update
Use sdm admin secretengines update to make changes to a specific secret engine. You must specify the secret engine type (active_directory or key_value), and set the options that you wish you change, as in the following example.
See the CLI Reference for a copy of the help text available for sdm admin secretengines update.
sdm admin secretengines delete
Use sdm admin secretengines delete to delete a secret engine. You must specify the secret engine ID, as in the following example.
See the CLI Reference for a copy of the help text available for sdm admin secretengines delete.
Managed Secrets CLI Commands
You can work with managed secrets in the CLI with sdm admin managedsecrets and its subcommands:
sdm admin managedsecrets create: creates a new managed secret.sdm admin managedsecrets list: lists all managed secrets in the secret engine.sdm admin managedsecrets show: shows details of managed secrets without sensitive data.sdm admin managedsecrets update: updates a managed secret.sdm admin managedsecrets delete: deletes a managed secret.sdm admin managedsecrets logs: displays logs for managed secrets.
As well as with the sdm managedsecrets commands:
sdm managedsecrets list: list all managed secrets you have access tosdm managedsecrets show: shows details of a managed secret without sensitive data.sdm managedsecrets retrieve/read: shows details of a manage secrets with sensitive data.sdm managedsecrets rotate: rotates a managed secret.sdm managedsecrets validate: shows whether a managed secret is currently valid.
sdm admin managedsecrets create
Use sdm admin managedsecrets create to add secrets for a user for a specific secret engine. When running this command, you must, at minimum, specify the secret engine name and the desired name for the secrets you're adding.
For Key Value, run the following:
Example:
For Active Directory, you also must set the user_dn, which is the distinguished name of the account that is managed.
In the following example, secrets are created for user Bob for an AD secret engine.
See the CLI Reference for a copy of the help text available for sdm admin managedsecrets create.
sdm admin managedsecrets list
Use the following command to list all existing managed secrets in your organization. You must specify the name of the secret engine being used.
If any managed secrets are already present, the returned output looks similar to the following.
See the CLI Reference for a copy of the help text available for sdm admin managedsecrets list.
sdm admin managedsecrets show
Use this command to get information about a specific managed secret and the associated secret engine. The returned details include the secret engine ID, when the secrets were last rotated (if ever), when their next rotation is scheduled to occur (if at all), information about the password complexity policy, and any tags associated with the secrets. When running this command, you must specify the name of the secret engine and the name of the managed secret.
Example:
See the CLI Reference for a copy of the help text available for sdm admin managedsecrets show.
sdm admin managedsecrets update
Use sdm admin managedsecrets update to make changes to existing secrets for a specific secret engine. When running the command, specify the name of the secret engine, the name of the managed secret, and the new values of the options that you want to update.
Example:
See the CLI Reference for a copy of the help text available for sdm admin managedsecrets update.
sdm admin managedsecrets delete
Use sdm admin managedsecrets delete to delete secrets. When running the command, specify the name of the secret engine and the name of the managed secret.
Example:
See the CLI Reference for a copy of the help text available for sdm admin managedsecrets delete.
sdm admin managedsecrets logs
Use sdm admin managedsecrets logs to get information about managed secrets, including the date and time when the secrets were created, the ID of the secret engine they were created for, the account ID of the user using them, and the last action taken.
Example:
See the CLI Reference for a copy of the help text available for sdm admin managedsecrets logs.
sdm managedsecrets list
Secrets available to the currently logged in principal are able to be listed with sdm managedsecrets list.
See the CLI Reference for a copy of the help text available for sdm managedsecrets list
sdm managedsecrets show
Use sdm managedsecrets show to show details about a specific secret without showing the sensitive data associated with it, such as password values.
See the CLI Reference for a copy of the help text available for sdm managedsecrets show.
sdm managedsecrets retrieve
Use sdm managedsecrets retrieve to show details about a specific secret that include the sensitive data associated with it, such as password values.
See the CLI Reference for a copy of the help text available for sdm managedsecrets retrieve.
Managed secrets also may be retrieved in the Admin UI's Access > Secrets page.
sdm managedsecrets rotate
Secrets created with a secret engine that allows rotation are able to be rotated with sdm managedsecrets rotate. For example, to rotate user Bob's password, run the following command with the name of the secret engine and the name of the managed secret:
See the CLI Reference for a copy of the help text available for sdm managedsecrets rotate
Managed secrets also may be rotated in the Admin UI's Access > Secrets page.
sdm managedsecrets validate
Use sdm managedsecrets validate to show whether a managed secret is currently valid. When running the command, specify the name of the secret engine and the name of the managed secret.
Example:
See the CLI Reference for a copy of the help text available for sdm managedsecrets validate.
Managed secrets also may be validated in the Admin UI's Access > Secrets page.
Configure Password Complexity Requirements in the CLI
When a managed secret is created, you have the option to set password complexity requirements, such as the number of symbols required, for passwords that are generated, rotated, or updated, to suit the needs of your organization. The available options for passwords are:
--password-length: Password length (default: 0)--password-num-digits: Number of digits to use when generating the password (default: 0)--password-num-symbols: Number of symbols to use when generating the password (default: 0)--password-allow-repeat: If set to true, allows for consecutive characters to repeat--password-exclude-characters: Set of characters to exclude when generating password
Password complexity requirements may be set as options with the following CLI commands:
In the following example, the AD managed secret is updated to require generated passwords to be 24 digits long, have 2 symbols, exclude # characters, and not repeat themselves or exclude uppercase letters.
Last updated
Was this helpful?