stable URL: /l/credential-manager-docs
cki_tools.credential_manager
Manage CKI service account secrets across services
This page has an internal companion page which might contain additional information.
Manage credentials for service accounts and their meta data as stored in CKI secrets.
Life cycle
In general, tokens that can expire (rotatable) have multiple versions that go
through the following life-cycle:
| description | active |
deployed |
|---|---|---|
| created and deployed | true |
true |
| superseded and no longer deployed, but still valid | true |
false |
| revoked and no longer valid | false |
false |
For rotatable tokens, the validate commands check the following invariants
about the versions of a token:
- all versions have
activeanddeployedfields - at least two versions are marked as
active - only one version is marked as
deployed
Metrics
Usage:
python -m cki_tools.credential_manager metrics
This will output the following Prometheus metrics related to the stored credentials:
| name | labels | description |
|---|---|---|
cki_token_created_at |
name, active, deployed |
token creation timestamp |
cki_token_expires_at |
name, active, deployed |
token expiration timestamp |
GitLab
For various kinds of GitLab tokens, the tool supports
-
creation (
create)python -m cki_tools.credential_manager gitlab create --token TOKEN_SECRET_NAME -
rotation (
rotate)python -m cki_tools.credential_manager gitlab rotate [--token TOKEN] [--dry-run] [--force] options: --token TOKEN Only rotate a single token --dry-run Do not modify secrets or create tokens --force Force token rotation even if new enough -
meta data update (
update)python -m cki_tools.credential_manager gitlab update -
validation of deployed tokens (
validate)python -m cki_tools.credential_manager gitlab validate
Project access tokens
These tokens are rotatable.
See the API description for details.
| name | create | rotate | update | validate | description |
|---|---|---|---|---|---|
| (secret) | updated | updated | required | secret token | |
token_type |
required | required | required | required | gitlab_project_token |
project_url |
required | required | required | required | Project URL |
scopes |
required | updated | updated | Access scope | |
access_level |
required | updated | updated | Access levels | |
token_name |
required | updated | updated | Name of the token | |
token_id |
updated | required | required | Project access token ID | |
created_at |
updated | updated | updated | ISO8601 timestamp of creation | |
expires_at |
updated | updated | updated | ISO8601 expiry date | |
revoked |
updated | updated | updated | Whether the token is already revoked | |
active |
updated | updated | updated | required | Whether the token is still active |
user_id |
updated | updated | updated | ID of associated user | |
user_name |
updated | updated | updated | Name of associated user | |
deployed |
updated | updated | required | Whether the token is actually used |
Group access tokens
These tokens are rotatable.
See the API description for details.
| name | create | rotate | update | validate | description |
|---|---|---|---|---|---|
| (secret) | updated | updated | required | secret token | |
token_type |
required | required | required | required | gitlab_group_token |
group_url |
required | required | required | required | Group URL |
scopes |
required | updated | updated | Access scope | |
access_level |
required | updated | updated | Access levels | |
token_name |
required | updated | updated | Name of the token | |
token_id |
updated | required | required | Group access token ID | |
created_at |
updated | updated | updated | ISO8601 timestamp of creation | |
expires_at |
updated | updated | updated | ISO8601 expiry date | |
revoked |
updated | updated | updated | Whether the token is already revoked | |
active |
updated | updated | updated | required | Whether the token is still active |
user_id |
updated | updated | updated | ID of associated user | |
user_name |
updated | updated | updated | Name of associated user | |
deployed |
updated | updated | required | Whether the token is actually used |
Personal access tokens
These tokens are rotatable.
See the API description for details.
Token creation is not supported.
| name | rotate | update | validate | description |
|---|---|---|---|---|
| (secret) | updated | required | secret token | |
token_type |
required | required | required | gitlab_personal_token |
instance_url |
required | required | required | GitLab instance URL |
scopes |
updated | updated | Access scope | |
token_name |
updated | updated | Name of the token | |
token_id |
required | required | Access token ID | |
created_at |
updated | updated | ISO8601 timestamp of creation | |
expires_at |
updated | updated | ISO8601 expiry date | |
revoked |
updated | updated | Whether the token is already revoked | |
active |
updated | updated | required | Whether the token is still active |
user_id |
required | required | ID of associated user | |
user_name |
updated | updated | Name of associated user | |
deployed |
updated | required | Whether the token is actually used |
Project deploy tokens
See the API description for details.
Token rotation is not supported.
| name | create | update | validate | description |
|---|---|---|---|---|
| (secret) | updated | secret token | ||
token_type |
required | required | required | gitlab_project_deploy_token |
project_url |
required | required | required | Project URL |
scopes |
required | updated | Access scope | |
token_name |
required | updated | Name of the token | |
token_id |
updated | required | required | Project deploy token ID |
created_at |
updated | ISO8601 timestamp of creation | ||
expires_at |
optional | updated | ISO8601 expiry date | |
revoked |
updated | updated | Whether the token is already revoked | |
active |
updated | updated | Whether the token is still active | |
user_name |
updated | updated | Associated user name | |
deployed |
updated | Whether the token is actually used |
Group deploy tokens
See the API description for details.
Token rotation is not supported.
| name | create | update | validate | description |
|---|---|---|---|---|
| (secret) | updated | secret token | ||
token_type |
required | required | required | gitlab_group_deploy_token |
group_url |
required | required | required | Group URL |
scopes |
required | updated | Access scope | |
token_name |
required | updated | Name of the token | |
token_id |
updated | required | required | Group deploy token ID |
created_at |
updated | ISO8601 timestamp of creation | ||
expires_at |
optional | updated | ISO8601 expiry date | |
revoked |
updated | updated | Whether the token is already revoked | |
active |
updated | updated | Whether the token is still active | |
user_name |
updated | updated | Associated user name | |
deployed |
updated | Whether the token is actually used |
Runner authentication tokens
See the API description for details.
Token creation and rotation is not supported.
| name | update | validate | description |
|---|---|---|---|
| (secret) | required | required | secret token |
token_type |
required | required | gitlab_runner_authentication_token |
instance_url |
required | required | GitLab instance URL |
token_id |
updated | Group token ID | |
expires_at |
updated | ISO8601 expiry date (optional) | |
active |
updated | Whether the token is still active | |
deployed |
Whether the token is actually used |
LDAP
For LDAP keytabs and passwords, the tool supports
-
update (
update)python -m cki_tools.credential_manager ldap update [--token TOKEN] options: --token TOKEN Only update a single token -
validation (
validate)python -m cki_tools.credential_manager ldap validate [--token TOKEN] options: --token TOKEN Only validate a single token
LDAP keytabs
Keytab validation is not supported.
| name | update | description |
|---|---|---|
| (secret) | keytab, base64-encoded | |
token_type |
required | ldap_keytab |
ldap_server |
required | LDAP server |
dn |
required | LDAP distinguished name |
| (LDAP attributes) | updated | LDAP object attributes |
LDAP passwords
| name | update | validate | description |
|---|---|---|---|
| (secret) | required | password | |
token_type |
required | required | ldap_password |
ldap_server |
required | required | LDAP server |
dn |
required | required | LDAP distinguished name |
| (LDAP attributes) | updated | LDAP object attributes |
AWS
For AWS secret access keys, the tool supports
-
update (
update)python -m cki_tools.credential_manager aws update --token TOKEN_SECRET_NAME options: --token TOKEN Only update a single token
| name | update | description |
|---|---|---|
| (secret) | secret access key | |
token_type |
required | aws_secret_access_key |
access_key_id |
required | access key ID |
endpoint_url |
required | endpoint URL if not AWS |
account |
updated | AWS account number |
user_name |
updated | service account user name |
arn |
updated | service account user ARN |
created_at |
updated | ISO8601 timestamp of creation |
active |
updated | Whether the token is still active |
deployed |
Whether the token is actually used |
Dogtag
For Dogtag certificates, the tool supports
-
creation (
create)python -m cki_tools.credential_manager dogtag create --token TOKEN_SECRET_NAME -
rotation (
rotate)python -m cki_tools.credential_manager dogtag rotate [--token TOKEN] [--dry-run] [--force] options: --token TOKEN Only operate on a single token --dry-run Do not modify secrets or create tokens --force Force token rotation even if new enough -
update (
update)python -m cki_tools.credential_manager dogtag update [--token TOKEN] options: --token TOKEN Only operate on a single token -
validation of deployed tokens (
validate)python -m cki_tools.credential_manager dogtag validate [--token TOKEN] options: --token TOKEN Only operate on a single token
| name | create | rotate | update | validate | description |
|---|---|---|---|---|---|
| (secret):private_key | updated | updated | required | secret key | |
| (secret):certificate | updated | updated | updated | required | certificate |
token_type |
required | required | required | required | dogtag_certificate |
server_url |
required | required | required | Dogtag server URL | |
serial_number |
updated | updated | required | Certificate serial number | |
issuer_dn |
updated | updated | updated | Issuer DN | |
subject_dn |
required | required | updated | Subject DN | |
created_at |
updated | updated | updated | ISO8601 timestamp of creation | |
expires_at |
updated | updated | updated | ISO8601 timestamp of expiry | |
active |
updated | updated | updated | Whether the certificate is still valid | |
deployed |
updated | updated | Whether the certificate is actually used |
Splunk
For Splunk HEC tokens, the tool supports
-
validation (
validate)python -m cki_tools.credential_manager splunk validate [--token TOKEN] options: --token TOKEN Only validate a single token
| name | validate | description |
|---|---|---|
| (secret) | required | HEC token |
token_type |
required | splunk_hec_token |
endpoint_url |
required | Splunk HEC endpoint base URL |
index |
optional | Splunk index |
SSH keys
For SSH keys, the tool supports
-
creation (
create)python -m cki_tools.credential_manager ssh create --token TOKEN_SECRET_NAME -
rotation (
rotate)python -m cki_tools.credential_manager ssh rotate [--token TOKEN] [--dry-run] [--force] options: --token TOKEN Only operate on a single token --dry-run Do not modify secrets or create tokens --force Force token rotation even if new enough -
update (
update)python -m cki_tools.credential_manager ssh update [--token TOKEN] options: --token TOKEN Only operate on a single token -
validation of deployed SSH keys (
validate)python -m cki_tools.credential_manager ssh validate [--token TOKEN] options: --token TOKEN Only operate on a single token
| name | create | rotate | update | validate | description |
|---|---|---|---|---|---|
| (secret):private_key | updated | updated | required | secret key | |
| (secret):public_key | updated | updated | updated | required | certificate |
token_type |
required | required | required | required | ssh_private_key |
comment |
required | required | required | Public key comment (name) | |
key_size |
required | required | updated | RSA key size | |
created_at |
updated | updated | updated | ISO8601 timestamp of creation | |
active |
updated | updated | required | Whether the key is still valid | |
deployed |
updated | updated | required | Whether the key is actually used |
Generic passwords
For generic passwords created via diceware, the tool supports
-
creation (
create)python -m cki_tools.credential_manager password create --token TOKEN_SECRET_NAME -
rotation (
rotate)python -m cki_tools.credential_manager password rotate [--token TOKEN] [--dry-run] [--force] options: --token TOKEN Only operate on a single token --dry-run Do not modify secrets or create tokens --force Force token rotation even if new enough -
validation (
validate)python -m cki_tools.credential_manager password validate [--token TOKEN] options: --token TOKEN Only operate on a single token
| name | create | rotate | update | validate | description |
|---|---|---|---|---|---|
| (secret) | updated | updated | required | password | |
token_type |
required | required | required | required | password |
created_at |
updated | updated | updated | ISO8601 timestamp of creation | |
active |
updated | updated | required | Whether the key is still valid | |
deployed |
updated | updated | required | Whether the key is actually used |
Configuration via environment variables
| Name | Secret | Required | Description |
|---|---|---|---|
GITLAB_TOKENS |
no | yes | URL/environment variable pairs of GitLab instances and private tokens |
GITLAB_TOKEN |
yes | yes | GitLab private tokens as configured in GITLAB_TOKENS above |
CKI_LOGGING_LEVEL |
no | no | logging level for CKI modules, defaults to WARN; to get meaningful output on the command line, set to INFO |