cki_tools.credential_manager

Manage CKI service account secrets across services

Manage credentials for service accounts and their meta data as stored in CKI secrets.

Life cycle

In general, tokens that can expire (rotatable) have multiple versions that go through the following life-cycle:

description active deployed
created and deployed true true
superseded and no longer deployed, but still valid true false
revoked and no longer valid false false

For rotatable tokens, the validate commands check the following invariants about the versions of a token:

  • all versions have active and deployed fields
  • at least two versions are marked as active
  • only one version is marked as deployed

Metrics

Usage:

python -m cki_tools.credential_manager metrics

This will output the following Prometheus metrics related to the stored credentials:

name labels description
cki_token_created_at name, active, deployed token creation timestamp
cki_token_expires_at name, active, deployed token expiration timestamp

GitLab

For various kinds of GitLab tokens, the tool supports

  • creation (create)

    python -m cki_tools.credential_manager gitlab create --token TOKEN_SECRET_NAME
    
  • rotation (rotate)

    python -m cki_tools.credential_manager gitlab rotate
                            [--token TOKEN] [--dry-run] [--force]
    
    options:
      --token TOKEN         Only rotate a single token
      --dry-run             Do not modify secrets or create tokens
      --force               Force token rotation even if new enough
    
  • meta data update (update)

    python -m cki_tools.credential_manager gitlab update
    
  • validation of deployed tokens (validate)

    python -m cki_tools.credential_manager gitlab validate
    

Project access tokens

These tokens are rotatable.

See the API description for details.

name create rotate update validate description
(secret) updated updated required secret token
token_type required required required required gitlab_project_token
project_url required required required required Project URL
scopes required updated updated Access scope
access_level required updated updated Access levels
token_name required updated updated Name of the token
token_id updated required required Project access token ID
created_at updated updated updated ISO8601 timestamp of creation
expires_at updated updated updated ISO8601 expiry date
revoked updated updated updated Whether the token is already revoked
active updated updated updated required Whether the token is still active
user_id updated updated updated ID of associated user
user_name updated updated updated Name of associated user
deployed updated updated required Whether the token is actually used

Group access tokens

These tokens are rotatable.

See the API description for details.

name create rotate update validate description
(secret) updated updated required secret token
token_type required required required required gitlab_group_token
group_url required required required required Group URL
scopes required updated updated Access scope
access_level required updated updated Access levels
token_name required updated updated Name of the token
token_id updated required required Group access token ID
created_at updated updated updated ISO8601 timestamp of creation
expires_at updated updated updated ISO8601 expiry date
revoked updated updated updated Whether the token is already revoked
active updated updated updated required Whether the token is still active
user_id updated updated updated ID of associated user
user_name updated updated updated Name of associated user
deployed updated updated required Whether the token is actually used

Personal access tokens

These tokens are rotatable.

See the API description for details.

Token creation is not supported.

name rotate update validate description
(secret) updated required secret token
token_type required required required gitlab_personal_token
instance_url required required required GitLab instance URL
scopes updated updated Access scope
token_name updated updated Name of the token
token_id required required Access token ID
created_at updated updated ISO8601 timestamp of creation
expires_at updated updated ISO8601 expiry date
revoked updated updated Whether the token is already revoked
active updated updated required Whether the token is still active
user_id required required ID of associated user
user_name updated updated Name of associated user
deployed updated required Whether the token is actually used

Project deploy tokens

See the API description for details.

Token rotation is not supported.

name create update validate description
(secret) updated secret token
token_type required required required gitlab_project_deploy_token
project_url required required required Project URL
scopes required updated Access scope
token_name required updated Name of the token
token_id updated required required Project deploy token ID
created_at updated ISO8601 timestamp of creation
expires_at optional updated ISO8601 expiry date
revoked updated updated Whether the token is already revoked
active updated updated Whether the token is still active
user_name updated updated Associated user name
deployed updated Whether the token is actually used

Group deploy tokens

See the API description for details.

Token rotation is not supported.

name create update validate description
(secret) updated secret token
token_type required required required gitlab_group_deploy_token
group_url required required required Group URL
scopes required updated Access scope
token_name required updated Name of the token
token_id updated required required Group deploy token ID
created_at updated ISO8601 timestamp of creation
expires_at optional updated ISO8601 expiry date
revoked updated updated Whether the token is already revoked
active updated updated Whether the token is still active
user_name updated updated Associated user name
deployed updated Whether the token is actually used

Runner authentication tokens

See the API description for details.

Token creation and rotation is not supported.

name update validate description
(secret) required required secret token
token_type required required gitlab_runner_authentication_token
instance_url required required GitLab instance URL
token_id updated Group token ID
expires_at updated ISO8601 expiry date (optional)
active updated Whether the token is still active
deployed Whether the token is actually used

LDAP

For LDAP keytabs and passwords, the tool supports

  • update (update)

    python -m cki_tools.credential_manager ldap update [--token TOKEN]
    
    options:
      --token TOKEN         Only update a single token
    
  • validation (validate)

    python -m cki_tools.credential_manager ldap validate [--token TOKEN]
    
    options:
      --token TOKEN         Only validate a single token
    

LDAP keytabs

Keytab validation is not supported.

name update description
(secret) keytab, base64-encoded
token_type required ldap_keytab
ldap_server required LDAP server
dn required LDAP distinguished name
(LDAP attributes) updated LDAP object attributes

LDAP passwords

name update validate description
(secret) required password
token_type required required ldap_password
ldap_server required required LDAP server
dn required required LDAP distinguished name
(LDAP attributes) updated LDAP object attributes

AWS

For AWS secret access keys, the tool supports

  • update (update)

    python -m cki_tools.credential_manager aws update --token TOKEN_SECRET_NAME
    
    options:
      --token TOKEN         Only update a single token
    
name update description
(secret) secret access key
token_type required aws_secret_access_key
access_key_id required access key ID
endpoint_url required endpoint URL if not AWS
account updated AWS account number
user_name updated service account user name
arn updated service account user ARN
created_at updated ISO8601 timestamp of creation
active updated Whether the token is still active
deployed Whether the token is actually used

Dogtag

For Dogtag certificates, the tool supports

  • creation (create)

    python -m cki_tools.credential_manager dogtag create --token TOKEN_SECRET_NAME
    
  • rotation (rotate)

    python -m cki_tools.credential_manager dogtag rotate
                            [--token TOKEN] [--dry-run] [--force]
    
    options:
      --token TOKEN         Only operate on a single token
      --dry-run             Do not modify secrets or create tokens
      --force               Force token rotation even if new enough
    
  • update (update)

    python -m cki_tools.credential_manager dogtag update [--token TOKEN]
    
    options:
      --token TOKEN         Only operate on a single token
    
  • validation of deployed tokens (validate)

    python -m cki_tools.credential_manager dogtag validate [--token TOKEN]
    
    options:
      --token TOKEN         Only operate on a single token
    
name create rotate update validate description
(secret):private_key updated updated required secret key
(secret):certificate updated updated updated required certificate
token_type required required required required dogtag_certificate
server_url required required required Dogtag server URL
serial_number updated updated required Certificate serial number
issuer_dn updated updated updated Issuer DN
subject_dn required required updated Subject DN
created_at updated updated updated ISO8601 timestamp of creation
expires_at updated updated updated ISO8601 timestamp of expiry
active updated updated updated Whether the certificate is still valid
deployed updated updated Whether the certificate is actually used

Splunk

For Splunk HEC tokens, the tool supports

  • validation (validate)

    python -m cki_tools.credential_manager splunk validate [--token TOKEN]
    
    options:
      --token TOKEN         Only validate a single token
    
name validate description
(secret) required HEC token
token_type required splunk_hec_token
endpoint_url required Splunk HEC endpoint base URL
index optional Splunk index

SSH keys

For SSH keys, the tool supports

  • creation (create)

    python -m cki_tools.credential_manager ssh create --token TOKEN_SECRET_NAME
    
  • rotation (rotate)

    python -m cki_tools.credential_manager ssh rotate
                            [--token TOKEN] [--dry-run] [--force]
    
    options:
      --token TOKEN         Only operate on a single token
      --dry-run             Do not modify secrets or create tokens
      --force               Force token rotation even if new enough
    
  • update (update)

    python -m cki_tools.credential_manager ssh update [--token TOKEN]
    
    options:
      --token TOKEN         Only operate on a single token
    
  • validation of deployed SSH keys (validate)

    python -m cki_tools.credential_manager ssh validate [--token TOKEN]
    
    options:
      --token TOKEN         Only operate on a single token
    
name create rotate update validate description
(secret):private_key updated updated required secret key
(secret):public_key updated updated updated required certificate
token_type required required required required ssh_private_key
comment required required required Public key comment (name)
key_size required required updated RSA key size
created_at updated updated updated ISO8601 timestamp of creation
active updated updated required Whether the key is still valid
deployed updated updated required Whether the key is actually used

Generic passwords

For generic passwords created via diceware, the tool supports

  • creation (create)

    python -m cki_tools.credential_manager password create --token TOKEN_SECRET_NAME
    
  • rotation (rotate)

    python -m cki_tools.credential_manager password rotate
                            [--token TOKEN] [--dry-run] [--force]
    
    options:
      --token TOKEN         Only operate on a single token
      --dry-run             Do not modify secrets or create tokens
      --force               Force token rotation even if new enough
    
  • validation (validate)

    python -m cki_tools.credential_manager password validate [--token TOKEN]
    
    options:
      --token TOKEN         Only operate on a single token
    
name create rotate update validate description
(secret) updated updated required password
token_type required required required required password
created_at updated updated updated ISO8601 timestamp of creation
active updated updated required Whether the key is still valid
deployed updated updated required Whether the key is actually used

Configuration via environment variables

Name Secret Required Description
GITLAB_TOKENS no yes URL/environment variable pairs of GitLab instances and private tokens
GITLAB_TOKEN yes yes GitLab private tokens as configured in GITLAB_TOKENS above
CKI_LOGGING_LEVEL no no logging level for CKI modules, defaults to WARN; to get meaningful output on the command line, set to INFO