Manage DevOps Secrets Safe Users

Before starting this section, ensure you have initialized, unsealed, and logged into DevOps Secrets Safe as root.

  1. Create a new user:
    ssrun user create -n NewUser -p NewUserPassword

Passwords must be a minimum of 10 characters in length.

  1. View the list of users:
    ssrun user get -v

The principal discovery mechanism accepts any subset of the URI {identity_provider}/{principal_type}/{principal_name}/{principal_extension_data}. Therefore, the URI above returns all internal users. Additionally, the (optional) -v flag can be used to get a full listing of principals or principal containers attributes. Otherwise, a slim view of each principal or principal container is returned.

  1. Create a secret:
    echo -n "I love my test content" | ssrun secret create testsecret:mytestsecret
Whenever you reference a secret, the URI must be in the format {scopePath}:{secretName}. For example, path/to/secrets:secretName.

The echo line may only be performed in bash and similar shells.

  1. Authorize the new user to read the secret:
    ssrun authorization create -p principal/internal/user/NewUser -o read -a allow secret/testsecret:mytestsecret

    The create-authorization command accepts the following arguments:

    The authorization command accepts the following arguments:

    • -p: (Required). URI of the principal the access control is being applied to.

      A user's URI can be derived using the principal discovery mechanism detailed in step 2.

    • -o: (Optional). Operations authorization applies to.

      Options are create, read, update, and delete.

      Options are create, read, update, delete and grant.

    • -a: (Optional). Set to allow to grant authorization or deny to revoke.
  1. Log in as the new user:
    ssrun login -u NewUser -p NewUserPassword
  2. Read the secret:
    ssrun secret get testsecret:mytestsecret
  3. Log in as root again:
    ssrun login -u root -p rootpassword
  4. Delete the new user:
    ssrun user delete -n NewUser

Resource Name Restrictions

DSS enforces restrictions for all resource types.

  • The valid characters for resources at large are:
    • a b c d e f g h i j k l m n o p q r s t u v w x y z
    • A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
    • 0 1 2 3 4 5 6 7 8 9 @ : $ _ . + ! * ' ( ) -

Additionally, there are specific restrictions on user, application, and group names.

  • The maximum number of characters in any user, application, or group name is 120.
  • The valid characters for user, application, and group names are:
    • a b c d e f g h i j k l m n o p q r s t u v w x y z
    • A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
    • 0 1 2 3 4 5 6 7 8 9 - . _ @ +