Istoric Pagină
...
- The Secret Manager encrypts a secret using the target Agent's Certificate and stores the encrypted result to a Job Resource variable.
- The Job Resource variable is assigned an environment variable that will be made available to jobs using the Job Resource.
Examples:
For details see JS7 - How to update a Job Resource using Unix Shell.
Code Block language bash title Example for Encryption using Unix Shell collapse true ./js7_set_job_resource.sh \ --url=http://joc-2-0-primary:7446 \ --controller-id=controller \ --user=root \ --password=root \ --job-resource=/ProductDemo/Variables/pdDatabaseSecret \ --key=databasePassword \ --value='12345678' \ --env-var='DATABASE_PASSWORD' \ --encrypt-cert=foobar.crt
For details see JS7 - How to update a Job Resource using PowerShell.
Code Block language bash title Example for Encryption using PowerShell collapse true Set-JS7JobResource ` -Path /ProductDemo/Variables/pdDatabaseSecret ` -Key 'databasePassword' ` -Value '12345678' ` -EnvVar 'DATABASE_PASSWORD' ` -EncryptCertificatePath foobar.crt ` -JavaLib /js7/js7.encryption/lib
Example how to use Bitwarden® CLI to retrieve a password and to store the encrypted password to a Job Resource:
Code Block language bash title Example for Encryption using Bitwarden CLI and Unix Shell linenumbers true collapse true Get_Secret() { item="$1" if [ -f $HOME/.bw.session.lock ] then BW_SESSION="$(bw unlock --passwordenv $BW_PASSWORD)" else BW_LOGIN=$(bw login -apikey && touch $HOME/.bw.session.lock) fi response_json=$(bw list items --search "${item}") item_count=$(printf "%s" "${response_json}" | jq ". | length") if [ "${item_count}" -eq 1 ] then printf "%s" "${response_json}" | jq -r ".[].login.password // empty" else if [ "${item_count}" -eq 0 ] then >&2 echo "no matching item found in vault for: ${item}" else >&2 echo "more than one matching item found in vault for: ${item}" fi fi } ./js7_set_job_resource.sh \ --url=https://joc-2-0-primary:7443 \ --controller-id=controller \ --user=root \ --password=root \ --job-resource=/ProductDemo/Variables/pdDatabaseSecret \ --key=databasePassword \ --value=$(Get_Secret "database-login") \ --env-var='DATABASE_PASSWORD' \ --encrypt-cert=foobar.crt
Explanation:- The script requires the jq utility to be available from the operating system.
jq ships with the MIT license, see https://opensource.org/licenses/MIT. - Login to JOC Cockpit can be performed using username/password or using a Client Authentication Certificate, see JS7 - Certificate Identity Service.
- Line 5-10: There are a number of ways how to login and to unlock the vault using Bitwarden CLI. Users should adjust this section.
- Line 17: The JSON returned by Bitwarden CLI depends on the type of secret (1=login, 2=secure note etc.) and will require adjustments to select the desired property.
- The script requires the jq utility to be available from the operating system.
Decrypting Secrets from Jobs
...
Rezumat
Unelte pentru conținut