Manage DevOps Secrets Safe Applications

Before starting this section, ensure you have initialized, unsealed, and logged into DevOps Secrets Safe as root.

  1. Create a new application:
    ssrun application create -n NewApplication

Upon creation, an API key is returned. This is used in any subsequent log in.

  1. View the list of applications:
    ssrun application get -v

The principal discovery mechanism in the API accepts any subset of the URI {identity_provider}/{principal_type}/{principal_name}/{principal_extension_data}. Therefore, the command above returns all internal applications. Additionally, the (optional) -v flag can be used to get a full listing of principals or principal containers attributes. Otherwise, a slim view of each principal or principal container is returned.

  1. Create a secret:
    echo -n "I love my test content" | ssrun secret create testsecret:mytestsecret

Whenever you reference a secret, the URI must be in the format {scopePath}:{secretName}. For example, path/to/secrets:secretName.

The echo line may only be performed in bash and similar shells.

  1. Authorize the new application to read the secret:
    ssrun authorization create -p principal/internal/application/NewApplication -o read -a allow secret/testsecret:mytestsecret

    The authorization command accepts the following arguments:

    • -p: (Required). URI of the principal the access control is being applied to.

      An applications URI can be derived using the principal discovery mechanism detailed in step 2.

    • -o: (Optional). Operations authorization applies to.

      Options are create, read, update, delete, and grant.

    • -a: (Required). Set to allow to grant authorization or deny to revoke.

      Options are allow and deny.

  2. Log in as the new application:
    ssrun login -a NewApplication -k 2a098f21-0b11-4918-b705-7752588d5d8c

The API key -k comes from what was returned when the application was created in step 1.

  1. Read the secret:
    ssrun secret get testsecret:mytestsecret
  2. Log in as root again:
    ssrun login -u root -p rootpassword
  3. Delete the new application:
    ssrun application delete -n NewApplication

The name associated with an application can be determined via the list applications command as detailed in step 2.