secret-tool

command

v0.0.0-...-01cd1ea Latest Latest Go to latest Published: Nov 21, 2024 License: Apache-2.0 Imports: 34 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

chromium.googlesource.com/infra/luci/luci-go

Documentation ¶

Overview ¶

Executable secret-tool allows to generate and rotate secrets stored in Google Secret Manager and consumed by go.chromium.org/luci/server/secrets module.

Is supports generation and manipulation of secrets that are:

Randomly generated byte blobs.
Password-like strings passed via terminal.
Tink key sets serialized as JSON.

By default it doesn't access secrets once they are stored. The set of active secrets is represented by individual GSM SecretVersion objects with aliases "current", "previous" and "next" pointing to them. The tool knows how to move these aliases to perform somewhat graceful rotations. When using Tink keys, the final key set used at runtime is assembled dynamically from keys stored in "current", "previous" and "next" SecretVersions.

To generate a new secret, run e.g.

secret-tool create sm://<project>/root-secret -secret-type random-bytes-32
secret-tool create sm://<project>/tink-aead-primary -secret-type tink-aes256-gcm

To rotate an existing secret (regardless of its type):

secret-tool rotation-begin sm://<project>/<name>
# wait several hours to make sure the new secret is cached everywhere
# confirm by looking at /chrome/infra/secrets/gsm/version metric
secret-tool rotation-end sm://<project>/<name>

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL