Command KeyVault Configuration¶
The cmdvault plugin provides a flexible, command-line-based secrets integration for DRP. It
allows administrators to define named shell commands that retrieve secrets from any CLI-accessible
store — including Kerberos vaults, proprietary key management systems, or custom scripts — and
expose those secrets to DRP through a URI-based lookup scheme.
Installation¶
The plugin requires drp-community-content version 4.8.0 or later. The plugin auto-starts and
does not require a separate plugin instance to be created, but you must set cmdvault/commands on
the plugin.
Plugin Parameters¶
| Parameter | Description | Required |
|---|---|---|
cmdvault/commands |
Map of command names to shell command templates | Yes |
cmdvault/cache-timeout |
Seconds to cache retrieved secrets in memory | No (default: 300) |
Defining Commands¶
Set the cmdvault/commands parameter on the plugin object as a map of logical command names to
shell command template strings. The command templates support Go template syntax, with URI query
string parameters passed as the template data:
Name: cmdvault
Provider: cmdvault
Params:
cmdvault/commands:
kerb-ipmi: "/usr/local/bin/kerb-get.sh {{.machine_name}}"
corp-vault: "/usr/local/bin/corp-secret-cli.sh {{.secret_path}} {{.format}}"
simple-lookup: "/tmp/my-secret.sh {{.param1}}"
The commands must be executable by the user running the DRP endpoint service. Test each command manually before configuring it in the plugin.
Using Secrets in Parameters¶
Set the decrypt/lookup-uri on a machine parameter to reference a cmdvault command:
# Reference a secret via the cmdvault URI scheme
drpcli machines set Name:my-server param ipmi/password to \
'{ "LookupUri": "cmdvault://kerb-ipmi?machine_name=my-server" }'
# Retrieve and decrypt the secret
drpcli machines get Name:my-server param ipmi/password --decode
The URI format is: cmdvault://<command-name>?param1=value1¶m2=value2
The command name in the URI must match a key defined in cmdvault/commands. Query string
parameters are passed as template variables to the command template.
Template Expansion¶
Two levels of template expansion occur:
- At the DRP endpoint when building the URI (where
.Paramand.ParamExpandare available). This allows you to inject machine-specific values into the query string. - Inside the plugin when rendering the command string from the template, using the URI query string parameters as template data.
Example using machine name from the DRP template system:
drpcli machines set Name:my-server param dr-server/initial-password to \
'{ "LookupUri": "cmdvault://corp-vault?secret_path=servers/{{.Machine.Name}}&format=plain" }'
JSON Output¶
If the command outputs JSON and you need the result parsed as a structured object, add
format=json to the URI:
Without format=json, the command's stdout is returned as a plain string.
Cache Management¶
The plugin caches secrets per machine UUID and lookup URI for the duration defined in
cmdvault/cache-timeout (default 300 seconds). Use the plugin's clearMachineCache action to
invalidate the cache for a specific machine, or clearCache to flush the entire cache: