Secret Generation

Secret Generation Configuration

DevOps Secrets Safe implements a number of secret generators. Secret generation configurations can be modified at runtime by using the CLI.

Managing Secret Generator Configurations

Listing Secret Generator Configurations

ssrun generator get

This provides a list of all configured secret generators as JSON.

Example output:

{
	"Type": "String",
	"Name": "my-password-generator",
	"Description": "Default password construction policy",
	"Options": {
		"MinCharacters": 8,
		"MaxCharacters": 10,
		"AllowUpperCaseCharacters": true,
		"NumberOfRequiredUpperCaseCharacters": 1,
		"UpperCaseCharacters": "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
		"AllowLowerCaseCharacters": true,
		"NumberOfRequiredLowerCaseCharacters": 1,
		"LowerCaseCharacters": "abcdefghijklmnopqrstuvwxyz",
		"AllowNumericCharacters": true,
		"NumberOfRequiredNumericCharacters": 1,
		"NumericCharacters": "1234567890",
		"AllowNonAlphaNumericCharacters": false,
		"NumberOfNonAlphaNumericCharacters": 1,
		"NonAlphaNumericCharacters": "~!@#$%^&*()-+=?/<>|[]{}_.",
		"FirstCharacterRequirement": "AnyCharacterPermitted"
	}
}

To view a specific generator, you can specify the generator name with the command above (ssrun generator get -n my-password-generator).

Delete a Secret Generator Configuration

ssrun generator delete -n <generator-name>

This deletes the generator with the given name.

Create a Secret Generator Configuration

ssrun generator create -f my-generator.json

This creates a generator configuration using the values in the file my-generator.json. Details on the structure of the configuration file are outlined in the section below.

Secret Generator Configuration

Configurations are defined in JSON formatted files. Generator configurations have the following structure:

{
	"Type": "string",
	"Version": "1.0"
	"Name": "string",
	"Description": "string",
	"Options": {
		"additionalProp1": "string",
		"additionalProp2": "string",
		...
	}
}

Field Descriptions

Type: (Required) The generator type to use. The following are supported generator types:

  • String
  • Number

These are elaborated on in a section below.

Version: (Optional) The version of the specified type to be used.

If no version is specified, this will default to 1.0.

Name: (Required) Friendly name for the generator. This is the name that you would provide to ssrun generator delete if you were to delete the secret generator later.

Names must be unique and can only include the following characters: 0-9, A-Z, a-z, underscore (_) and dash (-).

Description: (Optional) Provides details about this generator.

Options: (Optional) This is an array of key-value pairs to provide extra arguments for the generator configuration.

If this section or a child of this section is excluded, it will be set to the default value(s) defined by the generator type or version specifed.

Secret Generator Provider Specific Options

As noted above, the type and version fields are what determines what, if any, options are required.

String Generator Options

The following are the options for version 1.0 of the String generator:

*MinCharacters: (Defaults to 8) Defines the minimum password length.
*MaxCharacters: (Defaults to 10) Defines the maximum password length. MaxCharacters must be greater than MinCharacters.
*AllowUpperCaseCharacters: (Defaults to true) Determines whether uppercase characters are permitted.
*AllowUpperCaseCharacters: (Defaults to true) Minimum number of required uppercase characters.
*UpperCaseCharacters: (Defaults to ABCDEFGHIJKLMNOPQRSTUVWXYZ) Defines the allowable uppercase characters.
*AllowLowerCaseCharacters: (Defaults to true) Determines whether lowercase characters are permitted.
*NumberOfRequiredLowerCaseCharacters: (Defaults to 1) Minimum number of required lowercase characters.
*LowerCaseCharacters: (Defaults to abcdefghijklmnopqrstuvwxyz) Defines the allowable lowercase characters.
*AllowNumericCharacters: (Defaults to true) Determines whether numeric characters are permitted.
*NumberOfRequiredNumericCharacters: (Defaults to 1) Minimum number of required numeric characters.
*NumericCharacters: (Defaults to 1234567890) Defines the allowable numberic characters.
*AllowNonAlphaNumericCharacters: (Defaults to false) Determines whether non-alphanumeric characters are permitted.
*NumberOfNonAlphaNumericCharacters: (Defaults to 1) Minimum number of required non-alphanumeric characters.
*NonAlphaNumericCharacters: (Defaults to ~!@#$%^&()-+=?/<>|[]{}_.) Defines the allowable non-alphanumberic characters.
*FirstCharacterRequirement: (Defaults to AnyCharacterPermitted)

First character value. Allowable options are:

  • AnyCharacterPermitted
  • AlphaCharactersOnly
  • AlphaNumericPermitted

String Generator Configuration:

{
	"Type": "String",
	"Name": "my-password-generator",
	"Description": "Default password construction policy",
	"Options": {
		"MinCharacters": 8,
		"MaxCharacters": 10,
		"AllowUpperCaseCharacters": true,
		"NumberOfRequiredUpperCaseCharacters": 1,
		"UpperCaseCharacters": "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
		"AllowLowerCaseCharacters": true,
		"NumberOfRequiredLowerCaseCharacters": 1,
		"LowerCaseCharacters": "abcdefghijklmnopqrstuvwxyz",
		"AllowNumericCharacters": true,
		"NumberOfRequiredNumericCharacters": 1,
		"NumericCharacters": "1234567890",
		"AllowNonAlphaNumericCharacters": false,
		"NumberOfNonAlphaNumericCharacters": 1,
		"NonAlphaNumericCharacters": "~!@#$%^&*()-+=?/<>|[]{}_.",
		"FirstCharacterRequirement": "AnyCharacterPermitted"
	}
}

Number Generator Options

The following are the options for version 1.0 of the Number generator:

*MinValue: (Defaults to 1) Defines the inclusive lower bound of the random number returned.
*MaxValue: (Defaults to 9007199254740991) Defines the exclusive upper bound of the random number returned. MaxValue must be greater than MinValue.

NumberGenerator Configuration:

{
	"type": "Number
	"name": "my-number-generator",
	"description": "Test Random Number Generator",
	"options": {
		"MinValue": 100,
		"MaxValue": 9007199254740991
	}
}

Generate Values

Seed a Secret With a Generated Value

The create and update secret commands optionally accept a generator name as an input. When specified, DevOps Secrets Safe stores a value generated by the generator instead of a value specified by the user.

ssrun secret create -g <generator-name> path/to/my/secrets:mytestsecret1

or

ssrun secret update -g <generator-name> path/to/my/secrets:mytestsecret1