credential-libraries create

Command: boundary credential-libraries create

The credential-libraries create command lets you create a credential library resource in Boundary.

Examples

The following example creates a credential library for database credentials where Vault's database secrets engine provides dynamic credentials:

$ boundary credential-libraries create vault-generic \
    -credential-store-id csvlt_5fvkRjCjou \
    -vault-path "database/creds/dba" \
    -name "northwind dba"

Example output:

Credential Library information:
  Created Time:          Wed, 28 Sep 2022 08:50:32 MDT
  Credential Store ID:   csvlt_Xqa6V6QwfM
  ID:                    clvlt_Ex17uiP7FO
  Name:                  northwind dba
  Type:                  vault
  Updated Time:          Wed, 28 Sep 2022 08:50:32 MDT
  Version:               1

  Scope:
    ID:                  p_EZaXO0OZPX
    Name:                db-project
    Parent Scope ID:     o_R1QFYcO743
    Type:                project

  Authorized Actions:
    no-op
    read
    update
    delete

  Attributes:
    HTTP Method:         GET
    Path:                database/creds/dba

Usage

$ boundary credential-libraries create [type] [sub command] [options] [args]

Command options

-credential-store-id (string: "") - The credential store resource to use for the operation. You can also specify the credential store using the BOUNDARY_CREDENTIAL_STORE_ID environment variable.
-description (string: "") - A description of the credential library.
-name (string: "") - The name of the credential library.

Usages by type

The available types are vault-generic and vault-ssh-certificate.

Note

A credential library type, vault is deprecated, so use vault-generic type instead.

The credential-libraries create vault-generic command lets you create a generic Vault credential library.

Example

The following example creates a generic Vault credential library using a credential store with the ID csvlt_1234567890:

$ boundary credential-libraries create vault-generic \
   -credential-store-id csvlt_1234567890 \
   -vault-path "database/creds/dba"

Usage

$ boundary credential-libraries create vault-generic [options] [args]

Vault credential library options

The following are specific Vault credential library options in addition to the command options:

-credential-mapping-override - An override for credential mapping.
-credential-type (string: "") - The type of credential this library issues. The default value is Unspecified.
-vault-http-method (string: "") - The HTTP method the library should use when it communicates with Vault.
-vault-http-request-body (string: "") - The HTTP request body the credential library uses to communicate with Vault. This value can be the HTTP request body value itself, it can refer to a file on disk (file://) from which the value is read, or it can refer to an environment variable (env://) from which the value is read.
-vault-path (string: "") - The path in Vault to request credentials from.

The credential-libraries create vault-ssh-certificate command lets you create a Vault SSH certificate credential library.

Example

The following example creates a Vault SSH certificate credential library with the ID csvlt_1234567890:

$ boundary credential-libraries create vault-ssh-certificate \
   -credential-store-id  csvlt_1234567890 \
   -vault-path "/ssh/sign/role" \
   -username user

Usage

$ boundary credential-libraries create vault-ssh-certificate [options] [args]

Vault SSH certificate credential library options

The following are options are specific to the Vault SSH certificate credential library, in addition to the command options:

-critical-option - A key=value pair to add to the request's critical-options map. It can also be a key value only which sets a JSON null as the value. If you provide a value, Boundary infers the type automatically. You can use -string-critical-option, -bool-critical-option, or -num-critical-option to override the type. You can specify values for this option multiple times. This option supports sourcing values from files using file:// and environment variables using env://.
-critical-options (string: "") - A JSON map value to use as the entirety of the request's critical-options map. Usually this value is sourced from a file using the file:// syntax. This value is exclusive with the other critical-option flags.
-extension - A key=value pair to add to the request's extensions map. It can also be a key value only which will set a JSON null as the value. If you provide a value, Boundary automatically infers the type. You can use -string-extension, -bool-extension, or -num-extension to override the type. You can specify values for this option multiple times. This option supports sourcing values from files using file:// and environment variables using env://.
-extensions (string: "") - A JSON map value to use as the entirety of the request's extensions map. Usually this value is sourced from a file using the file:// syntax. This option is exclusive with the other extension flags.
-key-bits (string: "") - The number of bits to use when the SSH private key is generated. The value depends on the key_type. If you use a ed25519 key, you should not set a value or set the value to 0. If you use a ecdsa key, you should set the value to 256, 384, or 521. If you use an rsa key, you should set the value to 2048, 3072, or 4096.
-key-id (string: "") - Specifies the created certificate's key id.
-key-type (string: "") - Specifies the key type for the generated ssh private key. Supported values include ed25519, ecdsa, and rsa.
-ttl (string: "") - The generated certificate's time-to-live.
-username (string: "") - The username to use with the SSH certificate.
-vault-path (string: "") - The path in Vault to request credentials from.

CLI options

In addition to the command specific options, there are options common to all CLI commands and subcommands: