Managing secrets
Secrets engines
The Anjuna Policy Manager (APM) is built on HashiCorp Vault and shares the concept of a secrets engine.
Non-versioned secrets
The Anjuna Policy Manager’s default secrets engine is the kv v1 engine,
which supports non-versioned secrets.
Enabling the secrets engine
Enable the engine using the anjuna-policy-manager secret enable-engine command:
$ export ENGINE_PATH="some-kvv1-engine"
$ anjuna-policy-manager secret enable-engine \
--engine-path "${ENGINE_PATH}" \
kv-v1Creating secrets
Creating secrets can be done in multiple ways, using the anjuna-policy-manager secret create
command:
-
From a file containing the secret value:
$ export SECRET_NAME="secret_from_file"
$ anjuna-policy-manager secret create \
--engine-path "${ENGINE_PATH}" \
--file file-containing-secret.bin \
"${SECRET_NAME}"-
Through a CLI argument:
$ export SECRET_NAME="secret_from_cli"
$ anjuna-policy-manager secret create \
--engine-path "${ENGINE_PATH}" \
--value "the secret itself" \
"${SECRET_NAME}"-
Randomly generated by the Anjuna Policy Manager:
$ export SECRET_NAME="random_secret"
$ export SECRET_SIZE=16 # Secret size in bytes
$ anjuna-policy-manager secret create \
--engine-path "${ENGINE_PATH}" \
--random "${SECRET_SIZE}" \
"${SECRET_NAME}"Listing secrets
List all secrets:
$ anjuna-policy-manager list secrets allList secrets authorized for a signer:
$ anjuna-policy-manager list secrets signer \
--signer "${SIGNER_ID}"List secrets authorized for an enclave:
$ anjuna-policy-manager list secrets enclave \
--signer "${SIGNER_ID}" \
--enclave "${ENCLAVE_ID}"