Skip to content

secret-manager create

Note

This feature is available in dbvr Pro only.

Synopsis

dbvr secret-manager create [-hV]
                           [--aws.region=<string> --aws.cloudId=<string>
                            --aws.configurationId=<string>
                            --aws.configurationName=<string>
                            [--aws.description=<string>]
                           |
                            --cyberark.baseUrl=<string> --cyberark.account=<string>
                            --cyberark.username=<string> --cyberark.apiKey=<string>
                            --cyberark.policyBranch=<string>
                            --cyberark.configurationId=<string>
                            --cyberark.configurationName=<string>
                            [--cyberark.trustCertificate=<true|false>]
                            [--cyberark.globalConfiguration=<true|false>]
                            [--cyberark.description=<string>]
                           |
                            --vault.vaultUrl=<string> --vault.authType=<value>
                            --vault.vaultJwtProviderId=<string>
                            --vault.token=<string> --vault.username=<string>
                            --vault.password=<string>
                            --vault.configurationId=<string>
                            --vault.configurationName=<string>
                            [--vault.vaultRoleClaim=<string>]
                            [--vault.globalConfiguration=<true|false>]
                            [--vault.description=<string>]]

Tip

You can also use global options with this command.

Description

Create a new secret manager configuration.

Use one of three provider-specific option groups - --aws.*, --cyberark.*, or --vault.* - to define the connection. All required options for the chosen provider must be specified.

AWS Secrets Manager options

--aws.region

--aws.region=<string>

AWS region where the secrets are stored.

--aws.cloudId

--aws.cloudId=<string>

AWS Cloud configuration ID used for authentication. Specifies which AWS Cloud profile to use to access the secrets.

--aws.configurationId

--aws.configurationId=<string>

Unique identifier for this configuration.

--aws.configurationName

--aws.configurationName=<string>

Display name for this configuration.

--aws.description

--aws.description=<string>

Optional description.

CyberArk options

--cyberark.baseUrl

--cyberark.baseUrl=<string>

URL of the Conjur OSS server (for example, https://conjur.example.com).

--cyberark.account

--cyberark.account=<string>

Conjur tenant or organization account name (for example, myorg).

--cyberark.username

--cyberark.username=<string>

Conjur user ID used for authentication.

--cyberark.apiKey

--cyberark.apiKey=<string>

API key associated with the Conjur user for authn login.

--cyberark.policyBranch

--cyberark.policyBranch=<string>

Path to the policy namespace where secrets are stored (for example, dev/app).

--cyberark.configurationId

--cyberark.configurationId=<string>

Unique identifier for this configuration.

--cyberark.configurationName

--cyberark.configurationName=<string>

Display name for this configuration.

--cyberark.trustCertificate

--cyberark.trustCertificate=<true|false>

Trust the CyberArk server's SSL certificate without manual import. Enable this if you're using a self-signed certificate or connecting to a server whose certificate isn't trusted by default.

--cyberark.globalConfiguration

--cyberark.globalConfiguration=<true|false>

Apply this configuration globally across all clients.

--cyberark.description

--cyberark.description=<string>

Optional description.

Vault options

--vault.vaultUrl

--vault.vaultUrl=<string>

URL of the Vault server used to retrieve secrets.

--vault.authType

--vault.authType=<value>

Authentication type. Accepted values: OAUTH2, TOKEN, USERNAME_PASSWORD.

--vault.vaultJwtProviderId

--vault.vaultJwtProviderId=<string>

Path where the JWT authentication method is enabled in Vault (for example, auth/jwt/). Used when --vault.authType=OAUTH2.

--vault.token

--vault.token=<string>

Authentication token required to access the Vault server. Used when --vault.authType=TOKEN.

--vault.username

--vault.username=<string>

Username for Vault authentication. Used when --vault.authType=USERNAME_PASSWORD.

--vault.password

--vault.password=<string>

Password for Vault authentication. Used when --vault.authType=USERNAME_PASSWORD.

--vault.configurationId

--vault.configurationId=<string>

Unique identifier for this configuration.

--vault.configurationName

--vault.configurationName=<string>

Display name for this configuration.

--vault.vaultRoleClaim

--vault.vaultRoleClaim=<string>

The claim in the JWT token that contains the Vault role name. If not set, the default role from the Vault provider is used.

--vault.globalConfiguration

--vault.globalConfiguration=<true|false>

Apply this configuration globally across all clients.

--vault.description

--vault.description=<string>

Optional description.

Examples

Create an AWS Secrets Manager configuration:

dbvr secret-manager create \
  --aws.region=us-east-1 \
  --aws.cloudId=my-cloud-profile \
  --aws.configurationId=aws-prod \
  --aws.configurationName="AWS Production" \
  --aws.description="Production secrets"

Create a CyberArk configuration:

dbvr secret-manager create \
  --cyberark.baseUrl=https://cyberark.example.com \
  --cyberark.account=myaccount \
  --cyberark.username=admin \
  --cyberark.apiKey=myapikey \
  --cyberark.policyBranch=Root \
  --cyberark.configurationId=cyberark-prod \
  --cyberark.configurationName="CyberArk Production"

Create a Vault configuration using token authentication:

dbvr secret-manager create \
  --vault.vaultUrl=https://vault.example.com \
  --vault.authType=TOKEN \
  --vault.token=s.mytoken \
  --vault.vaultJwtProviderId=my-jwt-provider \
  --vault.username=vaultuser \
  --vault.password=vaultpass \
  --vault.configurationId=vault-prod \
  --vault.configurationName="Vault Production"

Info

For a complete walkthrough - including creating a Vault secret and using it with a datasource - see Secret provider setup example.