secret-tool

command
v0.0.0-...-d3da680 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 4, 2024 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Overview

Executable secret-tool allows to generate and rotate secrets stored in Google Secret Manager and consumed by go.chromium.org/luci/server/secrets module.

Is supports generation and manipulation of secrets that are:

  • Randomly generated byte blobs.
  • Password-like strings passed via terminal.
  • Tink key sets serialized as JSON.

By default it doesn't access secrets once they are stored. The set of active secrets is represented by individual GSM SecretVersion objects with aliases "current", "previous" and "next" pointing to them. The tool knows how to move these aliases to perform somewhat graceful rotations. When using Tink keys, the final key set used at runtime is assembled dynamically from keys stored in "current", "previous" and "next" SecretVersions.

To generate a new secret, run e.g.

secret-tool create sm://<project>/root-secret -secret-type random-bytes-32
secret-tool create sm://<project>/tink-aead-primary -secret-type tink-aes256-gcm

To rotate an existing secret (regardless of its type):

secret-tool rotation-begin sm://<project>/<name>
# wait several hours to make sure the new secret is cached everywhere
# confirm by looking at /chrome/infra/secrets/gsm/version metric
secret-tool rotation-end sm://<project>/<name>

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL