Skip to content

vor create secret

vor create secret

Create a database connection secret in Vault

Synopsis

Create a database connection secret in Vault for use by IO nodes.

This command supports three modes for creating a database connection secret in Vault:

  • Interactive mode: If no flags are provided, you will be prompted for all required values.
  • Mixed mode: You can provide some flags (such as --db-type, --vault-path, --token), and the command will prompt interactively for any missing parameters.
  • Non-interactive/CI mode: If all required flags are provided (or --ci is set), the command will run without any prompts.

This flexibility allows you to use the command in scripts, CI pipelines, or interactively as needed. The secret can then be used by IO nodes to connect to supported databases such as PostgreSQL and SQL Server.

You will be prompted for the following information, depending on which flags you provide:

  • Database type (PostgreSQL or SQL Server)
  • Vault secret path (where the secret will be stored relative to kv/data/node/)
  • Vault token (for authentication and creating the secret)
  • Connection parameters:
  • Host
  • Port
  • Database name
  • SSL mode
  • Allowed groups (to restrict access)
  • Authentication method:
  • Username and password
  • Credential path (for Vault-managed credentials)
  • Credentials:
  • Username and password, or
  • Vault credential path

If you choose to use a credential path, you have the flexibility to provide either a dynamic secret path for short-lived credentials or a static secret path without exposing them in the configuration. Ensure that the credential path is valid and accessible by the Vault token you provide.

The command will validate the connection parameters and test the database connection before saving the secret. The secret is stored at the specified Vault path and can be referenced by the nodes for database access.

Important:

  • You must have a valid Vault token with permissions to write secrets.
  • The secret will be stored under the path: kv/data/node/
  • Allowed groups restrict which user groups can access this secret. If none are selected, the secret will be accessible to all groups.
vor create secret [flags]

Examples

# Interactive mode (prompts for all missing values)
$ vor create secret

# Mixed mode (some flags provided, rest prompted interactively)
$ vor create secret --db-type=postgres --vault-path=mydb --token=$VAULT_TOKEN

# Non-interactive mode (all flags provided, no prompts)
$ vor create secret --ci --db-type=postgres --vault-path=mydb --token=$VAULT_TOKEN \
  --host=localhost --port=5432 --name=mydb --ssl=require --username=dbuser \
  --password=dbpass --allowed-groups=admins,devs

Options

      --allowed-groups strings   Allowed groups (comma separated)
      --ci                       Enable non-interactive mode
      --credential-path string   Vault credential path for DB credentials
      --db-type string           Database type (postgres or sqlserver)
  -h, --help                     help for secret
      --host string              Database host
      --name string              Database name
      --password string          Database password
      --port int                 Database port
      --ssl string               SSL mode (disable, require, etc.)
      --token string             Vault token
      --username string          Database username
      --vault-path string        Vault secret path (relative to kv/data/node/)

Options inherited from parent commands

      --play string   playpen path
      --renew-token   renew token (default true)

SEE ALSO

  • vor create - Create an object, i.e. playpen, node, queue, process, token