Key Manager service command-line client

Key Manager service command-line client

The barbican client is the command-line interface (CLI) for the Key Manager service API and its extensions.

This chapter documents barbican version 4.0.1.

For help on a specific barbican command, enter:

$ barbican help COMMAND

barbican usage

usage: barbican [--version] [-v | -q] [--log-file LOG_FILE] [-h] [--debug]
                [--no-auth] [--os-identity-api-version <identity-api-version>]
                [--os-auth-url <auth-url>] [--os-username <auth-user-name>]
                [--os-user-id <auth-user-id>] [--os-password <auth-password>]
                [--os-user-domain-id <auth-user-domain-id>]
                [--os-user-domain-name <auth-user-domain-name>]
                [--os-tenant-name <auth-tenant-name>]
                [--os-tenant-id <tenant-id>]
                [--os-project-id <auth-project-id>]
                [--os-project-name <auth-project-name>]
                [--os-project-domain-id <auth-project-domain-id>]
                [--os-project-domain-name <auth-project-domain-name>]
                [--os-auth-token <auth-token>] [--endpoint <barbican-url>]
                [--interface <barbican-interface>]
                [--service-type <barbican-service-type>]
                [--service-name <barbican-service-name>]
                [--region-name <barbican-region-name>]
                [--barbican-api-version <barbican-api-version>] [--insecure]
                [--os-cacert <ca-certificate>] [--os-cert <certificate>]
                [--os-key <key>] [--timeout <seconds>]

barbican optional arguments

--version
show program’s version number and exit
-v, --verbose
Increase verbosity of output. Can be repeated.
-q, --quiet
Suppress output except warnings and errors.
--log-file LOG_FILE
Specify a file to log output. Disabled by default.
-h, --help
Show help message and exit.
--debug
Show tracebacks on errors.
--no-auth, -N
Do not use authentication.
--os-identity-api-version <identity-api-version>
Specify Identity API version to use. Defaults to env[OS_IDENTITY_API_VERSION] or 3.
--os-auth-url <auth-url>, -A <auth-url>
Defaults to env[OS_AUTH_URL].
--os-username <auth-user-name>, -U <auth-user-name>
Defaults to env[OS_USERNAME].
--os-user-id <auth-user-id>
Defaults to env[OS_USER_ID].
--os-password <auth-password>, -P <auth-password>
Defaults to env[OS_PASSWORD].
--os-user-domain-id <auth-user-domain-id>
Defaults to env[OS_USER_DOMAIN_ID].
--os-user-domain-name <auth-user-domain-name>
Defaults to env[OS_USER_DOMAIN_NAME].
--os-tenant-name <auth-tenant-name>, -T <auth-tenant-name>
Defaults to env[OS_TENANT_NAME].
--os-tenant-id <tenant-id>, -I <tenant-id>
Defaults to env[OS_TENANT_ID].
--os-project-id <auth-project-id>
Another way to specify tenant ID. This option is mutually exclusive with --os-tenant-id. Defaults to env[OS_PROJECT_ID].
--os-project-name <auth-project-name>
Another way to specify tenant name. This option is mutually exclusive with --os-tenant-name. Defaults to env[OS_PROJECT_NAME].
--os-project-domain-id <auth-project-domain-id>
Defaults to env[OS_PROJECT_DOMAIN_ID].
--os-project-domain-name <auth-project-domain-name>
Defaults to env[OS_PROJECT_DOMAIN_NAME].
--os-auth-token <auth-token>
Defaults to env[OS_AUTH_TOKEN].
--endpoint <barbican-url>, -E <barbican-url>
Defaults to env[BARBICAN_ENDPOINT].
--interface <barbican-interface>
Defaults to env[BARBICAN_INTERFACE].
--service-type <barbican-service-type>
Defaults to env[BARBICAN_SERVICE_TYPE].
--service-name <barbican-service-name>
Defaults to env[BARBICAN_SERVICE_NAME].
--region-name <barbican-region-name>
Defaults to env[BARBICAN_REGION_NAME].
--barbican-api-version <barbican-api-version>
Defaults to env[BARBICAN_API_VERSION].
--insecure
Explicitly allow client to perform “insecure” TLS (https) requests. The server’s certificate will not be verified against any certificate authorities. This option should be used with caution.
--os-cacert <ca-certificate>
Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT].
--os-cert <certificate>
Defaults to env[OS_CERT].
--os-key <key>
Defaults to env[OS_KEY].
--timeout <seconds>
Set request timeout (in seconds).

barbican acl delete

usage: barbican acl delete [-h] URI

Delete ACLs for a secret or container as identified by its href.

Positional arguments:

URI
The URI reference for the secret or container.

Optional arguments:

-h, --help
show this help message and exit

barbican acl get

usage: barbican acl get [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN]
                        [--max-width <integer>] [--noindent]
                        [--quote {all,minimal,none,nonnumeric}]
                        URI

Retrieve ACLs for a secret or container by providing its href.

Positional arguments:

URI
The URI reference for the secret or container.

Optional arguments:

-h, --help
show this help message and exit

barbican acl submit

usage: barbican acl submit [-h] [-f {csv,html,json,table,value,yaml}]
                           [-c COLUMN] [--max-width <integer>] [--noindent]
                           [--quote {all,minimal,none,nonnumeric}]
                           [--user [USERS]]
                           [--project-access | --no-project-access]
                           [--operation-type {read}]
                           URI

Submit ACL on a secret or container as identified by its href.

Positional arguments:

URI
The URI reference for the secret or container.

Optional arguments:

-h, --help
show this help message and exit
--user [USERS], -u [USERS]
Keystone userid(s) for ACL.
--project-access
Flag to enable project access behavior.
--no-project-access
Flag to disable project access behavior.
--operation-type {read}, -o {read}
Type of Barbican operation ACL is set for

barbican acl user add

usage: barbican acl user add [-h] [-f {csv,html,json,table,value,yaml}]
                             [-c COLUMN] [--max-width <integer>] [--noindent]
                             [--quote {all,minimal,none,nonnumeric}]
                             [--user [USERS]]
                             [--project-access | --no-project-access]
                             [--operation-type {read}]
                             URI

Add ACL users to a secret or container as identified by its href.

Positional arguments:

URI
The URI reference for the secret or container.

Optional arguments:

-h, --help
show this help message and exit
--user [USERS], -u [USERS]
Keystone userid(s) for ACL.
--project-access
Flag to enable project access behavior.
--no-project-access
Flag to disable project access behavior.
--operation-type {read}, -o {read}
Type of Barbican operation ACL is set for

barbican acl user remove

usage: barbican acl user remove [-h] [-f {csv,html,json,table,value,yaml}]
                                [-c COLUMN] [--max-width <integer>]
                                [--noindent]
                                [--quote {all,minimal,none,nonnumeric}]
                                [--user [USERS]]
                                [--project-access | --no-project-access]
                                [--operation-type {read}]
                                URI

Remove ACL users from a secret or container as identified by its href.

Positional arguments:

URI
The URI reference for the secret or container.

Optional arguments:

-h, --help
show this help message and exit
--user [USERS], -u [USERS]
Keystone userid(s) for ACL.
--project-access
Flag to enable project access behavior.
--no-project-access
Flag to disable project access behavior.
--operation-type {read}, -o {read}
Type of Barbican operation ACL is set for

barbican ca get

usage: barbican ca get [-h] [-f {html,json,shell,table,value,yaml}]
                       [-c COLUMN] [--max-width <integer>] [--noindent]
                       [--prefix PREFIX]
                       URI

Retrieve a CA by providing its URI.

Positional arguments:

URI
The URI reference for the CA.

Optional arguments:

-h, --help
show this help message and exit

barbican ca list

usage: barbican ca list [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN]
                        [--max-width <integer>] [--noindent]
                        [--quote {all,minimal,none,nonnumeric}]
                        [--limit LIMIT] [--offset OFFSET] [--name NAME]

List cas.

Optional arguments:

-h, --help
show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page (default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)
--name NAME, -n NAME
specify the secret name (default: None)

barbican secret container create

usage: barbican secret container create [-h]
                                        [-f {html,json,shell,table,value,yaml}]
                                        [-c COLUMN] [--max-width <integer>]
                                        [--noindent] [--prefix PREFIX]
                                        [--name NAME] [--type TYPE]
                                        [--secret SECRET]

Store a container in Barbican.

Optional arguments:

-h, --help
show this help message and exit
--name NAME, -n NAME
a human-friendly name.
--type TYPE
type of container to create (default: generic).
--secret SECRET, -s SECRET
one secret to store in a container (can be set multiple times). Example: --secret “private_key=https://url.test/v1/secrets/1-2-3-4”

barbican secret container delete

usage: barbican secret container delete [-h] URI

Delete a container by providing its href.

Positional arguments:

URI
The URI reference for the container

Optional arguments:

-h, --help
show this help message and exit

barbican secret container get

usage: barbican secret container get [-h]
                                     [-f {html,json,shell,table,value,yaml}]
                                     [-c COLUMN] [--max-width <integer>]
                                     [--noindent] [--prefix PREFIX]
                                     URI

Retrieve a container by providing its URI.

Positional arguments:

URI
The URI reference for the container.

Optional arguments:

-h, --help
show this help message and exit

barbican secret container list

usage: barbican secret container list [-h]
                                      [-f {csv,html,json,table,value,yaml}]
                                      [-c COLUMN] [--max-width <integer>]
                                      [--noindent]
                                      [--quote {all,minimal,none,nonnumeric}]
                                      [--limit LIMIT] [--offset OFFSET]
                                      [--name NAME] [--type TYPE]

List containers.

Optional arguments:

-h, --help
show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page (default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)
--name NAME, -n NAME
specify the container name (default: None)
--type TYPE, -t TYPE
specify the type filter for the list (default: None).

barbican secret delete

usage: barbican secret delete [-h] URI

Delete a secret by providing its URI.

Positional arguments:

URI
The URI reference for the secret

Optional arguments:

-h, --help
show this help message and exit

barbican secret get

usage: barbican secret get [-h] [-f {html,json,shell,table,value,yaml}]
                           [-c COLUMN] [--max-width <integer>] [--noindent]
                           [--prefix PREFIX] [--decrypt] [--payload]
                           [--payload_content_type PAYLOAD_CONTENT_TYPE]
                           URI

Retrieve a secret by providing its URI.

Positional arguments:

URI
The URI reference for the secret.

Optional arguments:

-h, --help
show this help message and exit
--decrypt, -d
if specified, retrieve the unencrypted secret data; the data type can be specified with --payload-content- type.
--payload, -p
if specified, retrieve the unencrypted secret data; the data type can be specified with --payload-content- type. If the user wishes to only retrieve the value of the payload they must add “-f value” to format returning only the value of the payload
--payload_content_type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the content type of the decrypted secret (default: text/plain.

barbican secret list

usage: barbican secret list [-h] [-f {csv,html,json,table,value,yaml}]
                            [-c COLUMN] [--max-width <integer>] [--noindent]
                            [--quote {all,minimal,none,nonnumeric}]
                            [--limit LIMIT] [--offset OFFSET] [--name NAME]
                            [--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
                            [--mode MODE]

List secrets.

Optional arguments:

-h, --help
show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page (default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)
--name NAME, -n NAME
specify the secret name (default: None)
--algorithm ALGORITHM, -a ALGORITHM
the algorithm filter for the list(default: None).
--bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length filter for the list (default: 0).
--mode MODE, -m MODE
the algorithm mode filter for the list (default: None).

barbican secret order create

usage: barbican secret order create [-h]
                                    [-f {html,json,shell,table,value,yaml}]
                                    [-c COLUMN] [--max-width <integer>]
                                    [--noindent] [--prefix PREFIX]
                                    [--name NAME] [--algorithm ALGORITHM]
                                    [--bit-length BIT_LENGTH] [--mode MODE]
                                    [--payload-content-type PAYLOAD_CONTENT_TYPE]
                                    [--expiration EXPIRATION]
                                    [--request-type REQUEST_TYPE]
                                    [--subject-dn SUBJECT_DN]
                                    [--source-container-ref SOURCE_CONTAINER_REF]
                                    [--ca-id CA_ID] [--profile PROFILE]
                                    [--request-file REQUEST_FILE]
                                    type

Create a new order.

Positional arguments:

type
the type of the order to create.

Optional arguments:

-h, --help
show this help message and exit
--name NAME, -n NAME
a human-friendly name.
--algorithm ALGORITHM, -a ALGORITHM
the algorithm to be used with the requested key (default: aes).
--bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length of the requested secret key (default: 256).
--mode MODE, -m MODE
the algorithm mode to be used with the requested key (default: cbc).
--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the type/format of the secret to be generated (default: application/octet-stream).
--expiration EXPIRATION, -x EXPIRATION
the expiration time for the secret in ISO 8601 format.
--request-type REQUEST_TYPE
the type of the certificate request.
--subject-dn SUBJECT_DN
the subject of the certificate.
--source-container-ref SOURCE_CONTAINER_REF
the source of the certificate when using stored-key requests.
--ca-id CA_ID
the identifier of the CA to use for the certificate request.
--profile PROFILE
the profile of certificate to use.
--request-file REQUEST_FILE
the file containing the CSR.

barbican secret order delete

usage: barbican secret order delete [-h] URI

Delete an order by providing its href.

Positional arguments:

URI
The URI reference for the order

Optional arguments:

-h, --help
show this help message and exit

barbican secret order get

usage: barbican secret order get [-h] [-f {html,json,shell,table,value,yaml}]
                                 [-c COLUMN] [--max-width <integer>]
                                 [--noindent] [--prefix PREFIX]
                                 URI

Retrieve an order by providing its URI.

Positional arguments:

URI
The URI reference order.

Optional arguments:

-h, --help
show this help message and exit

barbican secret order list

usage: barbican secret order list [-h] [-f {csv,html,json,table,value,yaml}]
                                  [-c COLUMN] [--max-width <integer>]
                                  [--noindent]
                                  [--quote {all,minimal,none,nonnumeric}]
                                  [--limit LIMIT] [--offset OFFSET]

List orders.

Optional arguments:

-h, --help
show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page (default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)

barbican secret store

usage: barbican secret store [-h] [-f {html,json,shell,table,value,yaml}]
                             [-c COLUMN] [--max-width <integer>] [--noindent]
                             [--prefix PREFIX] [--name NAME]
                             [--payload PAYLOAD] [--secret-type SECRET_TYPE]
                             [--payload-content-type PAYLOAD_CONTENT_TYPE]
                             [--payload-content-encoding PAYLOAD_CONTENT_ENCODING]
                             [--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
                             [--mode MODE] [--expiration EXPIRATION]

Store a secret in Barbican.

Optional arguments:

-h, --help
show this help message and exit
--name NAME, -n NAME
a human-friendly name.
--payload PAYLOAD, -p PAYLOAD
the unencrypted secret; if provided, you must also provide a payload_content_type
--secret-type SECRET_TYPE, -s SECRET_TYPE
the secret type; must be one of symmetric, public, private, certificate, passphrase, opaque (default)
--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the type/format of the provided secret data; “text/plain” is assumed to be UTF-8; required when --payload is supplied.

--payload-content-encoding PAYLOAD_CONTENT_ENCODING,

-e PAYLOAD_CONTENT_ENCODING
required if --payload-content-type is “application /octet-stream”.
--algorithm ALGORITHM, -a ALGORITHM
the algorithm (default: aes).
--bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length (default: 256).
--mode MODE, -m MODE
the algorithm mode; used only for reference (default: cbc)
--expiration EXPIRATION, -x EXPIRATION
the expiration time for the secret in ISO 8601 format.

barbican secret update

usage: barbican secret update [-h] URI payload

Update a secret with no payload in Barbican.

Positional arguments:

URI
The URI reference for the secret.
payload
the unencrypted secret

Optional arguments:

-h, --help
show this help message and exit
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

Contents