Install the DevOps Secrets Safe CLI

The DevOps Secrets Safe CLI, ssrun, is a Python package that wraps functionality exposed by the DevOps Secrets Safe API into a convenient tool that is used to interact with the system.


The DevOps Secrets Safe CLI should run on any major platforms supported by Python and which have Python 3.5 and pip3 or above available.

Install the Package with pip

The DevOps Secrets Safe CLI package, titled secretssafe, is installed and managed on a client machine by the Python package manager pip through a BeyondTrust supplied .whl file that is located in the CommandLineInterface directory of the extracted archive.

Execute the following when running in a virtual environment:

$ pip install secretssafe-<version>-py3-none-any.whl

Conversely, execute the following when running outside a virtual environment:

$ pip3 install secretssafe-<version>-py3-none-any.whl

Set Up the Required Environment Variables

$ export SECRETSSAFE_HOST=<IP address or hostname of Secrets Safe instance> 
$ export SECRETSSAFE_PORT=<port of Secrets Safe instance>
The following variable is necessary only if the certificate authority is not publicly trusted.

$ export SECRETSSAFE_VERIFY_CA=<path_to_ca_cert>

The DevOps Secrets Safe CLI verifies the SSL certificate presented by the DSS instance. The SECRETSSAFE_VERIFY_CA environment variable specifies the path to the CA certificate that the DSS certificate is checked against.

If no SECRETSSAFE_VERIFY_CA is specified, the default certificate bundles provided by the Python requests library are used.

Certificate verification can be disabled by setting SECRETSSAFE_VERIFY_CA=false. This is strongly discouraged for production environments. As a convince, it is recommended that these environment variables be persisted in the shell environment. For example, storing them in a users ~/.bashrc file similar to the following;

$ echo 'export SECRETSSAFE_HOST=' >> ~/.bashrc 
$ echo 'export SECRETSSAFE_PORT=443' >> ~/.bashrc
$ echo 'export SECRETSSAFE_VERIFY_CA=false' >> ~/.bashrc
$ source ~/.bashrc

In the example above certificate verification has been set to false. While this is convenient for test it is NOT recommended in a production environment.

Execute the CLI

After a successful installation, the CLI may be ran by executing the following from any location on the filesystem:

$ ssrun

If the secretssafe package was installed inside a virtual environment, the environment must be first activated for ssrun to be on the path and thus executable.