Client

Client credentials enable applications to authenticate as the Role assigned to the client record.

Commands that Act on Clients

Command Action
create create a client in the vault
search find clients by Role name
read read a client’s details
delete delete a client from the vault

Examples

Create

The create command accepts as its --role parameter a fully qualified Role name, and creates a client credential assigned to that Role.

Copy
dsv client create --role app-role

The output will include a clientId and clientSecret suitable for use during CLI installation, or within REST calls to authenticate as the Role assigned to the clientId.

Copy
{
  "clientId": "01234567-abcd-4eb9-9df4-6f1fea7d9298",
  "clientSecret": "aaabbb777DwTLkdzWkL18UF9blycz3r9yfRhQTYICFc",
  "created": "2022-09-16T09:53:50Z",
  "createdBy": "users:bright",
  "id": "00000000-0123-0123-0123-0123456789ab",
  "role": "app-role",
  "url": false
}

NOTE: The client Secret is available only when you create the client. If the Secret is lost, delete the client and create a new one.

Ephemeral Credentials

Client credentials can be made temporary by using the --uses and --ttl flags.

--uses determines the number of times the client credential can be read. If set to 0, it can be used infinitely. Uses defaults to 0.

--ttl determines long until the client credential expires. If set to 0, it can be used indefinitely. Ttl defaults to 0.

The search command accepts as its --query parameter the name of a Role, and searches for clients having that Role.

Copy
dsv client search --query dev-role

or

Copy
dsv client search dev-role

Read

The read command accepts a client ID as a parameter and returns the details for the given client. As with most commands, remember that you can apply flags to beautify, redirect, or reformat the returned material.

Copy
dsv client read --client-id 01234567-abcd-4eb9-9df4-6f1fea7d9298

Delete

The delete command accepts a client ID as a parameter and deletes from the vault the indicated client.

Copy
dsv client delete --client-id 01234567-abcd-4eb9-9df4-6f1fea7d9298

When you delete a Client, it will no longer be usable. However, with the soft delete capacity of VP-DV, you have 72 hours to use the restore command to undelete the Client. After 72 hours, the Client will no longer be retrievable.

Should you want to perform a hard delete, precluding any restore operation, you can use the delete command’s --force flag.

Bootstrapping

There will be times when machines or applications will require access to VP-DV to get started, but you can't (or don't want) to hardcode the client secret. In this case, we can create the client ID and get a one-time use URL. When the URL is accessed, then the corresponding client secret will be created and returned. The URL will no longer be valid after the initial use, so if the intended machine or application gets an error "url already used" then there should be an alarm to investigate.

First create the Client ID and URL:

Copy
dsv client create --role <role> --url --url-ttl <ttl in seconds>

Where "role" is a Role created earlier and is attached to a Policy to provide the proper permissions.

--url if present tells VP-DV to create a one-time use URL instead of a Client Secret right now.

--url-ttl is the time to live of the URL in seconds. If it is not accessed in that time frame, then the URL will become invalid.

If a TTL is set for both the URL and the underlying client credentials, then the timer for the client credentials will not start until the URL is accessed.

The result will look something like this:

Copy
{
  "clientId": "01234567-abcd-4eb9-9df4-6f1fea7d9298",
  "created": "2022-09-16T11:04:45Z",
  "createdBy": "users:admin@company.com",
  "id": "c6bae4ae-469f-4ea7-a72a-8f338fee4867",
  "role": "app-role",
  "url": true,
  "urlExpires": "2022-09-16T12:04:45Z",
  "urlPath": "https://company.secrestvaultcloud.com/v1/clients/bootstrap/01234567-abcd-4eb9-9df4-6f1fea7d9298",
  "urlTTL": 3600
}

Then the machine or application can access that urlpath for the Client Secret. For Example, using CURL (or Invoke-RestMethod for Powershell):

Copy
curl https://company.secrestvaultcloud.com/v1/clients/bootstrap/01234567-abcd-4eb9-9df4-6f1fea7d9298

With a result containing the Client Secret:

Copy
{
  "id": "c6bae4ae-469f-4ea7-a72a-8f338fee4867",
  "clientId": "01234567-abcd-4eb9-9df4-6f1fea7d9298",
  "clientSecret": "abcdef0123456789ALGewTlxf4Fdo-cTkS_l_o0ki8w",
  "role": "app-role",
  "url": true,
  "urlExpires": "2022-09-16T12:04:45Z",
  "accessed": "2022-09-16T11:08:11Z",
  "created": "2022-09-16T11:04:45Z",
  "createdBy": "users:admin@company.com"
}

If the URL is accessed a second time, then the response will contain: {"code":400,"message":"url has already been used"}