Skip to content

DRP's Integration with a command-line key store

DRP allows for the definition of command line functions that return secrets. These commands could contact other key stores.

Plugin Configuration

The plugin requires a map of command names to command lines. This is specified in the cmdvault/commands parameter on the plugin object.

Here is an example object definition:

cmd1: "/tmp/ {{.param1}}"
kerb1: "/usr/local/bin/ {{.param1}}"
kerb2: "/usr/local/bin/ {{.param1}} {{.param2}}"

This example defines three possible commands that can be referenced in the lookup-url. The template look-ups are handled as query string parameters in the URI specified. The commands must be executable by the user that DRP is running as.

Optionally, set a cache timeout to store secrets from Azure KeyVault temporarily in memory, reducing excessive requests to the KeyVault server. This duration is in seconds, defaulting to 300 seconds.

  • cmdvault/cache-timeout: Duration (in seconds) to cache secrets in-memory.

Operational Configuration

In addition to the plugin configuration, define a lookupUri for the secret's location:

  • decrypt/lookup-uri:
    • Denotes the secret's storage location.
    • Format: cmdvault://<command name>?param1=<param1>&param2=<param2>
    • Example: cmdvault://kerb1?machine-id=<uuid>


After completing both configurations, use the plugin:

# Set a machine's IPMI password to a Vault secret:
drpcli machines set Name:foo param ipmi/password to '{ "LookupUri": "cmdvault://kerb1?param1=MySampleKVSecret" }'
drpcli machines set Name:foo param dr-server/initial-password to '{ "LookupUri": "cmdvault://kerb2?param1=MySampleKVSecret&param2={{.Machine.Name}}" }'

# Retrieve the machine's IPMI password:
drpcli machines get Name:foo param ipmi/password --decode
drpcli machines get Name:foo param dr-server/initial-password --decode

Notice that there are two times parameter expansion are being done. There first is in the DRP endpoint when the URI is being built. In that case, the normal .Param and .ParamExpand calls are available. These can be used to set the queury string parameters that get expanded when the command is looked up.