DNV.SecretsManager.ConsoleApp
1.3.3
dotnet tool install --global DNV.SecretsManager.ConsoleApp --version 1.3.3
dotnet new tool-manifest # if you are setting up this repo dotnet tool install --local DNV.SecretsManager.ConsoleApp --version 1.3.3
#tool dotnet:?package=DNV.SecretsManager.ConsoleApp&version=1.3.3
nuke :add-package DNV.SecretsManager.ConsoleApp --version 1.3.3
Secrets Manager
The DNV.SecretsManager
package is a command line tool for managing secrets in Azure Key Vault or Azure DevOps Variable Groups.
This tool allows secrets to be downloaded and uploaded as structured JSON files, meaning secrets may be uploaded in structured collections where previously they might have been maintained individually.
What it does
Given a collection of key vault secrets in an Azure Key Vault for e.g:
Name | Type | Status | Expiration date |
---|---|---|---|
Account--BaseUrl | text/plain | Enabled | |
Company--ApiKey | text/plain | Enabled | |
Company--Authority | text/plain | Enabled | |
Company--ClientId | text/plain | Enabled | |
Company--ClientSecret | text/plain | Enabled | |
Emailer--BaseUri | text/plain | Enabled | |
Emailer--FunctionKey | text/plain | Enabled |
The secrets manager tool could be executed with a command:
secretsmanager keyvault -d -s <keyvault-url> -f output-file.json
The resulting output-file.json
would look like:
{
"Account": {
"BaseUrl": <secret value>
},
"Company": {
"ApiKey": <secret value>,
"Authority": <secret value>,
"BaseUrl": <secret value>,
"ClientId": <secret value>,
"ClientSecret": <secret value>
},
"Emailer": {
"BaseUri": <secret value>,
"FunctionKey": <secret value>
}
}
Conversely, an input json file (input-file.json
) could be uploaded to an Azure Key vault by executing a command:
secretsmanager keyvault -u -s <keyvault-url> -f input-file.json
Hierachy
The secrets manager assumes a convention where the parent-child relationship between entities in a hierarchy are expressed with a --
delimeter.
In practice this means: to express that Company
is the parent of ApiKey
a key would be named Company--ApiKey
, if there exists multiple children to a parent they would be aggregated in to a single parent as may be seen in the result above with keys: Company--ApiKey
, Company--Authority
and Company--BaseUrl
etc. Parent-child relationships may extend to far greater depth than the example given.
Arrays
It is also possible to include arrays of data in your configuration.
{
"Names": [
<secret value>,
<secret-value>,
<secret-value>
]
}
Uploading this would result in a set of secrets with indexes included in their keys:
Name | Type | Status | Expiration date |
---|---|---|---|
Names--0 | text/plain | Enabled | |
Names--1 | text/plain | Enabled | |
Names--2 | text/plain | Enabled |
Useage
secretsmanager <command> [<args>]
Commands:
keyvault Download or upload secrets from/to Azure Keyvault
variablegroup Download or upload secrets from/to Azure DevOps Variable Group
Key vault command
secretsmanager keyvault [-h | --help]
-d | --download -u | --upload | -c | --clear
-s | --url <url>
-f | --filename <filename>
Options
-h | --help
Prints the synopsis of commands and options available.
-d | --download
Requests the secrets to be downloaded from the specified source to a JSON file.
-u | --upload
Requests that a provided JSON file be uploaded to a specified source.
-c | --clear
Deletes all secrets from the specified source.
-s | --url <url>
Provide the URL to the keyvault.
-f | --filename <filename>
Specify the file to which you would like to download to or upload from.
Variable group command
secretsmanager variablegroup [-h | --help]
-d | --download -u | --upload | -c | --clear
-s | --base-url <base-url>
-o | --organization <organization>
-p | --pat <pat>
-g | --group-id <group-id>
-f | --filename <filename>
Options
-h | --help
Prints the synopsis of commands and options available.
-d | --download
Requests the secrets to be downloaded from the specified source to a JSON file.
-u | --upload
Requests that a provided JSON file be uploaded to a specified source.
-c | --clear
Deletes all secrets from the specified source.
-s | --base-url <base-url>
Provide the base URL to the Azure DevOps.
-o | --organization <organization>
Provide the organization under Azure DevOps to which a variable group belongs.
-p | --pat <pat>
Specify the Person Access Token for authentication.
-g | --group-id <group-id>
Specify the id of the variable group you would like to download from or upload to.
-f | --filename <filename>
Specify the file to which you would like to download to or upload from.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. |
This package has no dependencies.