cki_tools.credential_manager

Manage CKI service account secrets across services

This page has an internal companion page which might contain additional information.

Manage credentials for service accounts and their meta data as stored in CKI secrets.

Life cycle

In general, tokens that can expire (rotatable) have multiple versions that go through the following life-cycle:

description	`active`	`deployed`
created and deployed	`true`	`true`
superseded and no longer deployed, but still valid	`true`	`false`
revoked and no longer valid	`false`	`false`

For rotatable tokens, the validate commands check the following invariants about the versions of a token:

all versions have active and deployed fields
at least two versions are marked as active
only one version is marked as deployed

Metrics

Usage:

python -m cki_tools.credential_manager metrics

This will output the following Prometheus metrics related to the stored credentials:

name	labels	description
`cki_token_created_at`	`name`, `active`, `deployed`	token creation timestamp
`cki_token_expires_at`	`name`, `active`, `deployed`	token expiration timestamp

GitLab

For various kinds of GitLab tokens, the tool supports

creation (create)

python -m cki_tools.credential_manager gitlab create --token TOKEN_SECRET_NAME

rotation (rotate)

python -m cki_tools.credential_manager gitlab rotate
                        [--token TOKEN] [--dry-run] [--force]

options:
  --token TOKEN         Only rotate a single token
  --dry-run             Do not modify secrets or create tokens
  --force               Force token rotation even if new enough

meta data update (update)

python -m cki_tools.credential_manager gitlab update

validation of deployed tokens (validate)

python -m cki_tools.credential_manager gitlab validate

Project access tokens

These tokens are rotatable.

See the API description for details.

name	create	rotate	update	validate	description
(secret)	updated	updated		required	secret token
`token_type`	required	required	required	required	`gitlab_project_token`
`project_url`	required	required	required	required	Project URL
`scopes`	required	updated	updated		Access scope
`access_level`	required	updated	updated		Access levels
`token_name`	required	updated	updated		Name of the token
`token_id`	updated	required	required		Project access token ID
`created_at`	updated	updated	updated		ISO8601 timestamp of creation
`expires_at`	updated	updated	updated		ISO8601 expiry date
`revoked`	updated	updated	updated		Whether the token is already revoked
`active`	updated	updated	updated	required	Whether the token is still active
`user_id`	updated	updated	updated		ID of associated user
`user_name`	updated	updated	updated		Name of associated user
`deployed`	updated	updated		required	Whether the token is actually used

Group access tokens

These tokens are rotatable.

See the API description for details.

name	create	rotate	update	validate	description
(secret)	updated	updated		required	secret token
`token_type`	required	required	required	required	`gitlab_group_token`
`group_url`	required	required	required	required	Group URL
`scopes`	required	updated	updated		Access scope
`access_level`	required	updated	updated		Access levels
`token_name`	required	updated	updated		Name of the token
`token_id`	updated	required	required		Group access token ID
`created_at`	updated	updated	updated		ISO8601 timestamp of creation
`expires_at`	updated	updated	updated		ISO8601 expiry date
`revoked`	updated	updated	updated		Whether the token is already revoked
`active`	updated	updated	updated	required	Whether the token is still active
`user_id`	updated	updated	updated		ID of associated user
`user_name`	updated	updated	updated		Name of associated user
`deployed`	updated	updated		required	Whether the token is actually used

Personal access tokens

These tokens are rotatable.

See the API description for details.

Token creation is not supported.

name	rotate	update	validate	description
(secret)	updated		required	secret token
`token_type`	required	required	required	`gitlab_personal_token`
`instance_url`	required	required	required	GitLab instance URL
`scopes`	updated	updated		Access scope
`token_name`	updated	updated		Name of the token
`token_id`	required	required		Access token ID
`created_at`	updated	updated		ISO8601 timestamp of creation
`expires_at`	updated	updated		ISO8601 expiry date
`revoked`	updated	updated		Whether the token is already revoked
`active`	updated	updated	required	Whether the token is still active
`user_id`	required	required		ID of associated user
`user_name`	updated	updated		Name of associated user
`deployed`	updated		required	Whether the token is actually used

Project deploy tokens

See the API description for details.

Token rotation is not supported.

name	create	update	validate	description
(secret)	updated			secret token
`token_type`	required	required	required	`gitlab_project_deploy_token`
`project_url`	required	required	required	Project URL
`scopes`	required	updated		Access scope
`token_name`	required	updated		Name of the token
`token_id`	updated	required	required	Project deploy token ID
`created_at`	updated			ISO8601 timestamp of creation
`expires_at`	optional	updated		ISO8601 expiry date
`revoked`	updated	updated		Whether the token is already revoked
`active`	updated	updated		Whether the token is still active
`user_name`	updated	updated		Associated user name
`deployed`	updated			Whether the token is actually used

Group deploy tokens

See the API description for details.

Token rotation is not supported.

name	create	update	validate	description
(secret)	updated			secret token
`token_type`	required	required	required	`gitlab_group_deploy_token`
`group_url`	required	required	required	Group URL
`scopes`	required	updated		Access scope
`token_name`	required	updated		Name of the token
`token_id`	updated	required	required	Group deploy token ID
`created_at`	updated			ISO8601 timestamp of creation
`expires_at`	optional	updated		ISO8601 expiry date
`revoked`	updated	updated		Whether the token is already revoked
`active`	updated	updated		Whether the token is still active
`user_name`	updated	updated		Associated user name
`deployed`	updated			Whether the token is actually used

Runner authentication tokens

See the API description for details.

Token creation and rotation is not supported.

name	update	validate	description
(secret)	required	required	secret token
`token_type`	required	required	`gitlab_runner_authentication_token`
`instance_url`	required	required	GitLab instance URL
`token_id`	updated		Group token ID
`expires_at`	updated		ISO8601 expiry date (optional)
`active`	updated		Whether the token is still active
`deployed`			Whether the token is actually used

LDAP

For LDAP keytabs and passwords, the tool supports

update (update)

python -m cki_tools.credential_manager ldap update [--token TOKEN]

options:
  --token TOKEN         Only update a single token

validation (validate)

python -m cki_tools.credential_manager ldap validate [--token TOKEN]

options:
  --token TOKEN         Only validate a single token

LDAP keytabs

Keytab validation is not supported.

name	update	description
(secret)		keytab, base64-encoded
`token_type`	required	`ldap_keytab`
`ldap_server`	required	LDAP server
`dn`	required	LDAP distinguished name
(LDAP attributes)	updated	LDAP object attributes

LDAP passwords

name	update	validate	description
(secret)		required	password
`token_type`	required	required	`ldap_password`
`ldap_server`	required	required	LDAP server
`dn`	required	required	LDAP distinguished name
(LDAP attributes)	updated		LDAP object attributes

AWS

For AWS secret access keys, the tool supports

update (update)

python -m cki_tools.credential_manager aws update --token TOKEN_SECRET_NAME

options:
  --token TOKEN         Only update a single token

name	update	description
(secret)		secret access key
`token_type`	required	`aws_secret_access_key`
`access_key_id`	required	access key ID
`endpoint_url`	required	endpoint URL if not AWS
`account`	updated	AWS account number
`user_name`	updated	service account user name
`arn`	updated	service account user ARN
`created_at`	updated	ISO8601 timestamp of creation
`active`	updated	Whether the token is still active
`deployed`		Whether the token is actually used

Dogtag

For Dogtag certificates, the tool supports

creation (create)

python -m cki_tools.credential_manager dogtag create --token TOKEN_SECRET_NAME

rotation (rotate)

python -m cki_tools.credential_manager dogtag rotate
                        [--token TOKEN] [--dry-run] [--force]

options:
  --token TOKEN         Only operate on a single token
  --dry-run             Do not modify secrets or create tokens
  --force               Force token rotation even if new enough

update (update)

python -m cki_tools.credential_manager dogtag update [--token TOKEN]

options:
  --token TOKEN         Only operate on a single token

validation of deployed tokens (validate)

python -m cki_tools.credential_manager dogtag validate [--token TOKEN]

options:
  --token TOKEN         Only operate on a single token

name	create	rotate	update	validate	description
(secret):private_key	updated	updated		required	secret key
(secret):certificate	updated	updated	updated	required	certificate
`token_type`	required	required	required	required	`dogtag_certificate`
`server_url`	required	required	required		Dogtag server URL
`serial_number`	updated	updated	required		Certificate serial number
`issuer_dn`	updated	updated	updated		Issuer DN
`subject_dn`	required	required	updated		Subject DN
`created_at`	updated	updated	updated		ISO8601 timestamp of creation
`expires_at`	updated	updated	updated		ISO8601 timestamp of expiry
`active`	updated	updated	updated		Whether the certificate is still valid
`deployed`	updated	updated			Whether the certificate is actually used

Configuration via environment variables

Name	Secret	Required	Description
`GITLAB_TOKENS`	no	yes	URL/environment variable pairs of GitLab instances and private tokens
`GITLAB_TOKEN`	yes	yes	GitLab private tokens as configured in `GITLAB_TOKENS` above
`CKI_LOGGING_LEVEL`	no	no	logging level for CKI modules, defaults to WARN; to get meaningful output on the command line, set to INFO