jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/docs/book/user/DYNAMIC_SECRETS_QUICK_REFERENCE.html
Jesús Pérez 6a59d34bb1
chore: update provisioning configuration and documentation 
Update configuration files, templates, and internal documentation
for the provisioning repository system.

Configuration Updates:
- KMS configuration modernization
- Plugin system settings
- Service port mappings
- Test cluster topologies
- Installation configuration examples
- VM configuration defaults
- Cedar authorization policies

Documentation Updates:
- Library module documentation
- Extension API guides
- AI system documentation
- Service management guides
- Test environment setup
- Plugin usage guides
- Validator configuration documentation

All changes are backward compatible.
2025-12-11 21:50:42 +00:00

379 lines
17 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE HTML>
<html lang="en" class="ayu sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>Dynamic Secrets Quick Reference - Provisioning Platform Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="Complete documentation for the Provisioning Platform - Infrastructure automation with Nushell, KCL, and Rust">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../";
const default_light_theme = "ayu";
const default_dark_theme = "navy";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="mdbook-help-container">
<div id="mdbook-help-popup">
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
<div>
<p>Press <kbd></kbd> or <kbd></kbd> to navigate between chapters</p>
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
<p>Press <kbd>?</kbd> to show this help</p>
<p>Press <kbd>Esc</kbd> to hide this help</p>
</div>
</div>
</div>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('ayu')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">Provisioning Platform Documentation</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform/edit/main/provisioning/docs/src/user/DYNAMIC_SECRETS_QUICK_REFERENCE.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="dynamic-secrets---quick-reference-guide"><a class="header" href="#dynamic-secrets---quick-reference-guide">Dynamic Secrets - Quick Reference Guide</a></h1>
<p><strong>Quick Start</strong>: Generate temporary credentials instead of using static secrets</p>
<hr />
<h2 id="quick-commands"><a class="header" href="#quick-commands">Quick Commands</a></h2>
<h3 id="generate-aws-credentials-1-hour"><a class="header" href="#generate-aws-credentials-1-hour">Generate AWS Credentials (1 hour)</a></h3>
<pre><code class="language-nushell">secrets generate aws --role deploy --workspace prod --purpose "deployment"
</code></pre>
<h3 id="generate-ssh-key-2-hours"><a class="header" href="#generate-ssh-key-2-hours">Generate SSH Key (2 hours)</a></h3>
<pre><code class="language-nushell">secrets generate ssh --ttl 2 --workspace dev --purpose "server access"
</code></pre>
<h3 id="generate-upcloud-subaccount-2-hours"><a class="header" href="#generate-upcloud-subaccount-2-hours">Generate UpCloud Subaccount (2 hours)</a></h3>
<pre><code class="language-nushell">secrets generate upcloud --workspace staging --purpose "testing"
</code></pre>
<h3 id="list-active-secrets"><a class="header" href="#list-active-secrets">List Active Secrets</a></h3>
<pre><code class="language-nushell">secrets list
</code></pre>
<h3 id="revoke-secret"><a class="header" href="#revoke-secret">Revoke Secret</a></h3>
<pre><code class="language-nushell">secrets revoke &lt;secret-id&gt; --reason "no longer needed"
</code></pre>
<h3 id="view-statistics"><a class="header" href="#view-statistics">View Statistics</a></h3>
<pre><code class="language-nushell">secrets stats
</code></pre>
<hr />
<h2 id="secret-types"><a class="header" href="#secret-types">Secret Types</a></h2>
<div class="table-wrapper"><table><thead><tr><th>Type</th><th>TTL Range</th><th>Renewable</th><th>Use Case</th></tr></thead><tbody>
<tr><td>AWS STS</td><td>15min - 12h</td><td>✅ Yes</td><td>Cloud resource provisioning</td></tr>
<tr><td>SSH Keys</td><td>10min - 24h</td><td>❌ No</td><td>Temporary server access</td></tr>
<tr><td>UpCloud</td><td>30min - 8h</td><td>❌ No</td><td>UpCloud API operations</td></tr>
<tr><td>Vault</td><td>5min - 24h</td><td>✅ Yes</td><td>Any Vault-backed secret</td></tr>
</tbody></table>
</div>
<hr />
<h2 id="rest-api-endpoints"><a class="header" href="#rest-api-endpoints">REST API Endpoints</a></h2>
<p><strong>Base URL</strong>: <code>http://localhost:9090/api/v1/secrets</code></p>
<pre><code class="language-bash"># Generate secret
POST /generate
# Get secret
GET /{id}
# Revoke secret
POST /{id}/revoke
# Renew secret
POST /{id}/renew
# List secrets
GET /list
# List expiring
GET /expiring
# Statistics
GET /stats
</code></pre>
<hr />
<h2 id="aws-sts-example"><a class="header" href="#aws-sts-example">AWS STS Example</a></h2>
<pre><code class="language-nushell"># Generate
let creds = secrets generate aws `
--role deploy `
--region us-west-2 `
--workspace prod `
--purpose "Deploy servers"
# Export to environment
export-env {
AWS_ACCESS_KEY_ID: ($creds.credentials.access_key_id)
AWS_SECRET_ACCESS_KEY: ($creds.credentials.secret_access_key)
AWS_SESSION_TOKEN: ($creds.credentials.session_token)
}
# Use credentials
provisioning server create
# Cleanup
secrets revoke ($creds.id) --reason "done"
</code></pre>
<hr />
<h2 id="ssh-key-example"><a class="header" href="#ssh-key-example">SSH Key Example</a></h2>
<pre><code class="language-nushell"># Generate
let key = secrets generate ssh `
--ttl 4 `
--workspace dev `
--purpose "Debug issue"
# Save key
$key.credentials.private_key | save ~/.ssh/temp_key
chmod 600 ~/.ssh/temp_key
# Use key
ssh -i ~/.ssh/temp_key user@server
# Cleanup
rm ~/.ssh/temp_key
secrets revoke ($key.id) --reason "fixed"
</code></pre>
<hr />
<h2 id="configuration"><a class="header" href="#configuration">Configuration</a></h2>
<p><strong>File</strong>: <code>provisioning/platform/orchestrator/config.defaults.toml</code></p>
<pre><code class="language-toml">[secrets]
default_ttl_hours = 1
max_ttl_hours = 12
auto_revoke_on_expiry = true
warning_threshold_minutes = 5
aws_account_id = "123456789012"
aws_default_region = "us-east-1"
upcloud_username = "${UPCLOUD_USER}"
upcloud_password = "${UPCLOUD_PASS}"
</code></pre>
<hr />
<h2 id="troubleshooting"><a class="header" href="#troubleshooting">Troubleshooting</a></h2>
<h3 id="provider-not-found"><a class="header" href="#provider-not-found">“Provider not found”</a></h3>
<p>→ Check service initialization</p>
<h3 id="ttl-exceeds-maximum"><a class="header" href="#ttl-exceeds-maximum">“TTL exceeds maximum”</a></h3>
<p>→ Reduce TTL or configure higher max</p>
<h3 id="secret-not-renewable"><a class="header" href="#secret-not-renewable">“Secret not renewable”</a></h3>
<p>→ Generate new secret instead</p>
<h3 id="missing-required-parameter"><a class="header" href="#missing-required-parameter">“Missing required parameter”</a></h3>
<p>→ Check provider requirements (e.g., AWS needs role)</p>
<hr />
<h2 id="security-features"><a class="header" href="#security-features">Security Features</a></h2>
<ul>
<li>✅ No static credentials stored</li>
<li>✅ Automatic expiration (1-12 hours)</li>
<li>✅ Auto-revocation on expiry</li>
<li>✅ Full audit trail</li>
<li>✅ Memory-only storage</li>
<li>✅ TLS in transit</li>
</ul>
<hr />
<h2 id="support"><a class="header" href="#support">Support</a></h2>
<p><strong>Orchestrator logs</strong>: <code>provisioning/platform/orchestrator/data/orchestrator.log</code></p>
<p><strong>Debug secrets</strong>: <code>secrets list | where is_expired == true</code></p>
<p><strong>Full documentation</strong>: <code>/Users/Akasha/project-provisioning/DYNAMIC_SECRETS_IMPLEMENTATION.md</code></p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../user/CONFIG_ENCRYPTION_QUICKREF.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/SSH_TEMPORAL_KEYS_USER_GUIDE.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../user/CONFIG_ENCRYPTION_QUICKREF.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/SSH_TEMPORAL_KEYS_USER_GUIDE.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<!-- Livereload script (if served using the cli tool) -->
<script>
const wsProtocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
const wsAddress = wsProtocol + "//" + location.host + "/" + "__livereload";
const socket = new WebSocket(wsAddress);
socket.onmessage = function (event) {
if (event.data === "reload") {
socket.close();
location.reload();
}
};
window.onbeforeunload = function() {
socket.close();
}
</script>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink