.. ## WARNING ##################################### .. This file is tool-generated. Do not edit manually. .. ################################################## ================================================== Key Manager service (barbican) command-line client ================================================== The barbican client is the command-line interface (CLI) for the Key Manager service (barbican) API and its extensions. This chapter documents :command:`barbican` version ``4.1.0``. For help on a specific :command:`barbican` command, enter: .. code-block:: console $ barbican help COMMAND .. _barbican_command_usage: barbican usage ~~~~~~~~~~~~~~ .. code-block:: console usage: barbican [--version] [-v | -q] [--log-file LOG_FILE] [-h] [--debug] [--no-auth] [--os-identity-api-version ] [--os-auth-url ] [--os-username ] [--os-user-id ] [--os-password ] [--os-user-domain-id ] [--os-user-domain-name ] [--os-tenant-name ] [--os-tenant-id ] [--os-project-id ] [--os-project-name ] [--os-project-domain-id ] [--os-project-domain-name ] [--os-auth-token ] [--endpoint ] [--interface ] [--service-type ] [--service-name ] [--region-name ] [--barbican-api-version ] [--insecure] [--os-cacert ] [--os-cert ] [--os-key ] [--timeout ] .. _barbican_command_options: barbican optional arguments ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``--version`` show program's version number and exit ``-v, --verbose`` Increase verbosity of output. Can be repeated. ``-q, --quiet`` Suppress output except warnings and errors. ``--log-file LOG_FILE`` Specify a file to log output. Disabled by default. ``-h, --help`` Show help message and exit. ``--debug`` Show tracebacks on errors. ``--no-auth, -N`` Do not use authentication. ``--os-identity-api-version `` Specify Identity API version to use. Defaults to ``env[OS_IDENTITY_API_VERSION]`` or 3. ``--os-auth-url , -A `` Defaults to ``env[OS_AUTH_URL]``. ``--os-username , -U `` Defaults to ``env[OS_USERNAME]``. ``--os-user-id `` Defaults to ``env[OS_USER_ID]``. ``--os-password , -P `` Defaults to ``env[OS_PASSWORD]``. ``--os-user-domain-id `` Defaults to ``env[OS_USER_DOMAIN_ID]``. ``--os-user-domain-name `` Defaults to ``env[OS_USER_DOMAIN_NAME]``. ``--os-tenant-name , -T `` Defaults to ``env[OS_TENANT_NAME]``. ``--os-tenant-id , -I `` Defaults to ``env[OS_TENANT_ID]``. ``--os-project-id `` Another way to specify tenant ID. This option is mutually exclusive with :option:`--os-tenant-id`. Defaults to ``env[OS_PROJECT_ID]``. ``--os-project-name `` Another way to specify tenant name. This option is mutually exclusive with :option:`--os-tenant-name`. Defaults to ``env[OS_PROJECT_NAME]``. ``--os-project-domain-id `` Defaults to ``env[OS_PROJECT_DOMAIN_ID]``. ``--os-project-domain-name `` Defaults to ``env[OS_PROJECT_DOMAIN_NAME]``. ``--os-auth-token `` Defaults to ``env[OS_AUTH_TOKEN]``. ``--endpoint , -E `` Defaults to ``env[BARBICAN_ENDPOINT]``. ``--interface `` Defaults to ``env[BARBICAN_INTERFACE]``. ``--service-type `` Defaults to ``env[BARBICAN_SERVICE_TYPE]``. ``--service-name `` Defaults to ``env[BARBICAN_SERVICE_NAME]``. ``--region-name `` Defaults to ``env[BARBICAN_REGION_NAME]``. ``--barbican-api-version `` Defaults to ``env[BARBICAN_API_VERSION]``. ``--insecure`` Explicitly allow client to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution. ``--os-cacert `` Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to ``env[OS_CACERT]``. ``--os-cert `` Defaults to ``env[OS_CERT]``. ``--os-key `` Defaults to ``env[OS_KEY]``. ``--timeout `` Set request timeout (in seconds). .. _barbican_acl_delete: barbican acl delete ------------------- .. code-block:: console usage: barbican acl delete [-h] URI Delete ACLs for a secret or container as identified by its href. **Positional arguments:** ``URI`` The URI reference for the secret or container. **Optional arguments:** ``-h, --help`` show this help message and exit .. _barbican_acl_get: barbican acl get ---------------- .. code-block:: console usage: barbican acl get [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--quote {all,minimal,none,nonnumeric}] URI Retrieve ACLs for a secret or container by providing its href. **Positional arguments:** ``URI`` The URI reference for the secret or container. **Optional arguments:** ``-h, --help`` show this help message and exit .. _barbican_acl_submit: barbican acl submit ------------------- .. code-block:: console usage: barbican acl submit [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--user [USERS]] [--project-access | --no-project-access] [--operation-type {read}] URI Submit ACL on a secret or container as identified by its href. **Positional arguments:** ``URI`` The URI reference for the secret or container. **Optional arguments:** ``-h, --help`` show this help message and exit ``--user [USERS], -u [USERS]`` Keystone userid(s) for ACL. ``--project-access`` Flag to enable project access behavior. ``--no-project-access`` Flag to disable project access behavior. ``--operation-type {read}, -o {read}`` Type of Barbican operation ACL is set for .. _barbican_acl_user_add: barbican acl user add --------------------- .. code-block:: console usage: barbican acl user add [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--user [USERS]] [--project-access | --no-project-access] [--operation-type {read}] URI Add ACL users to a secret or container as identified by its href. **Positional arguments:** ``URI`` The URI reference for the secret or container. **Optional arguments:** ``-h, --help`` show this help message and exit ``--user [USERS], -u [USERS]`` Keystone userid(s) for ACL. ``--project-access`` Flag to enable project access behavior. ``--no-project-access`` Flag to disable project access behavior. ``--operation-type {read}, -o {read}`` Type of Barbican operation ACL is set for .. _barbican_acl_user_remove: barbican acl user remove ------------------------ .. code-block:: console usage: barbican acl user remove [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--user [USERS]] [--project-access | --no-project-access] [--operation-type {read}] URI Remove ACL users from a secret or container as identified by its href. **Positional arguments:** ``URI`` The URI reference for the secret or container. **Optional arguments:** ``-h, --help`` show this help message and exit ``--user [USERS], -u [USERS]`` Keystone userid(s) for ACL. ``--project-access`` Flag to enable project access behavior. ``--no-project-access`` Flag to disable project access behavior. ``--operation-type {read}, -o {read}`` Type of Barbican operation ACL is set for .. _barbican_ca_get: barbican ca get --------------- .. code-block:: console usage: barbican ca get [-h] [-f {html,json,shell,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--prefix PREFIX] URI Retrieve a CA by providing its URI. **Positional arguments:** ``URI`` The URI reference for the CA. **Optional arguments:** ``-h, --help`` show this help message and exit .. _barbican_ca_list: barbican ca list ---------------- .. code-block:: console usage: barbican ca list [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--limit LIMIT] [--offset OFFSET] [--name NAME] List cas. **Optional arguments:** ``-h, --help`` show this help message and exit ``--limit LIMIT, -l LIMIT`` specify the limit to the number of items to list per page (default: 10; maximum: 100) ``--offset OFFSET, -o OFFSET`` specify the page offset (default: 0) ``--name NAME, -n NAME`` specify the secret name (default: None) .. _barbican_secret_container_create: barbican secret container create -------------------------------- .. code-block:: console usage: barbican secret container create [-h] [-f {html,json,shell,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--prefix PREFIX] [--name NAME] [--type TYPE] [--secret SECRET] Store a container in Barbican. **Optional arguments:** ``-h, --help`` show this help message and exit ``--name NAME, -n NAME`` a human-friendly name. ``--type TYPE`` type of container to create (default: generic). ``--secret SECRET, -s SECRET`` one secret to store in a container (can be set multiple times). Example: :option:`--secret` "private_key=https://url.test/v1/secrets/1-2-3-4" .. _barbican_secret_container_delete: barbican secret container delete -------------------------------- .. code-block:: console usage: barbican secret container delete [-h] URI Delete a container by providing its href. **Positional arguments:** ``URI`` The URI reference for the container **Optional arguments:** ``-h, --help`` show this help message and exit .. _barbican_secret_container_get: barbican secret container get ----------------------------- .. code-block:: console usage: barbican secret container get [-h] [-f {html,json,shell,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--prefix PREFIX] URI Retrieve a container by providing its URI. **Positional arguments:** ``URI`` The URI reference for the container. **Optional arguments:** ``-h, --help`` show this help message and exit .. _barbican_secret_container_list: barbican secret container list ------------------------------ .. code-block:: console usage: barbican secret container list [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--limit LIMIT] [--offset OFFSET] [--name NAME] [--type TYPE] List containers. **Optional arguments:** ``-h, --help`` show this help message and exit ``--limit LIMIT, -l LIMIT`` specify the limit to the number of items to list per page (default: 10; maximum: 100) ``--offset OFFSET, -o OFFSET`` specify the page offset (default: 0) ``--name NAME, -n NAME`` specify the container name (default: None) ``--type TYPE, -t TYPE`` specify the type filter for the list (default: None). .. _barbican_secret_delete: barbican secret delete ---------------------- .. code-block:: console usage: barbican secret delete [-h] URI Delete a secret by providing its URI. **Positional arguments:** ``URI`` The URI reference for the secret **Optional arguments:** ``-h, --help`` show this help message and exit .. _barbican_secret_get: barbican secret get ------------------- .. code-block:: console usage: barbican secret get [-h] [-f {html,json,shell,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--prefix PREFIX] [--decrypt] [--payload] [--payload_content_type PAYLOAD_CONTENT_TYPE] URI Retrieve a secret by providing its URI. **Positional arguments:** ``URI`` The URI reference for the secret. **Optional arguments:** ``-h, --help`` show this help message and exit ``--decrypt, -d`` if specified, retrieve the unencrypted secret data; the data type can be specified with :option:`--payload-content-` type. ``--payload, -p`` if specified, retrieve the unencrypted secret data; the data type can be specified with :option:`--payload-content-` type. If the user wishes to only retrieve the value of the payload they must add "-f value" to format returning only the value of the payload ``--payload_content_type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE`` the content type of the decrypted secret (default: text/plain. .. _barbican_secret_list: barbican secret list -------------------- .. code-block:: console usage: barbican secret list [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--limit LIMIT] [--offset OFFSET] [--name NAME] [--algorithm ALGORITHM] [--bit-length BIT_LENGTH] [--mode MODE] List secrets. **Optional arguments:** ``-h, --help`` show this help message and exit ``--limit LIMIT, -l LIMIT`` specify the limit to the number of items to list per page (default: 10; maximum: 100) ``--offset OFFSET, -o OFFSET`` specify the page offset (default: 0) ``--name NAME, -n NAME`` specify the secret name (default: None) ``--algorithm ALGORITHM, -a ALGORITHM`` the algorithm filter for the list(default: None). ``--bit-length BIT_LENGTH, -b BIT_LENGTH`` the bit length filter for the list (default: 0). ``--mode MODE, -m MODE`` the algorithm mode filter for the list (default: None). .. _barbican_secret_order_create: barbican secret order create ---------------------------- .. code-block:: console usage: barbican secret order create [-h] [-f {html,json,shell,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--prefix PREFIX] [--name NAME] [--algorithm ALGORITHM] [--bit-length BIT_LENGTH] [--mode MODE] [--payload-content-type PAYLOAD_CONTENT_TYPE] [--expiration EXPIRATION] [--request-type REQUEST_TYPE] [--subject-dn SUBJECT_DN] [--source-container-ref SOURCE_CONTAINER_REF] [--ca-id CA_ID] [--profile PROFILE] [--request-file REQUEST_FILE] type Create a new order. **Positional arguments:** ``type`` the type of the order to create. **Optional arguments:** ``-h, --help`` show this help message and exit ``--name NAME, -n NAME`` a human-friendly name. ``--algorithm ALGORITHM, -a ALGORITHM`` the algorithm to be used with the requested key (default: aes). ``--bit-length BIT_LENGTH, -b BIT_LENGTH`` the bit length of the requested secret key (default: 256). ``--mode MODE, -m MODE`` the algorithm mode to be used with the requested key (default: cbc). ``--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE`` the type/format of the secret to be generated (default: application/octet-stream). ``--expiration EXPIRATION, -x EXPIRATION`` the expiration time for the secret in ISO 8601 format. ``--request-type REQUEST_TYPE`` the type of the certificate request. ``--subject-dn SUBJECT_DN`` the subject of the certificate. ``--source-container-ref SOURCE_CONTAINER_REF`` the source of the certificate when using stored-key requests. ``--ca-id CA_ID`` the identifier of the CA to use for the certificate request. ``--profile PROFILE`` the profile of certificate to use. ``--request-file REQUEST_FILE`` the file containing the CSR. .. _barbican_secret_order_delete: barbican secret order delete ---------------------------- .. code-block:: console usage: barbican secret order delete [-h] URI Delete an order by providing its href. **Positional arguments:** ``URI`` The URI reference for the order **Optional arguments:** ``-h, --help`` show this help message and exit .. _barbican_secret_order_get: barbican secret order get ------------------------- .. code-block:: console usage: barbican secret order get [-h] [-f {html,json,shell,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--prefix PREFIX] URI Retrieve an order by providing its URI. **Positional arguments:** ``URI`` The URI reference order. **Optional arguments:** ``-h, --help`` show this help message and exit .. _barbican_secret_order_list: barbican secret order list -------------------------- .. code-block:: console usage: barbican secret order list [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--limit LIMIT] [--offset OFFSET] List orders. **Optional arguments:** ``-h, --help`` show this help message and exit ``--limit LIMIT, -l LIMIT`` specify the limit to the number of items to list per page (default: 10; maximum: 100) ``--offset OFFSET, -o OFFSET`` specify the page offset (default: 0) .. _barbican_secret_store: barbican secret store --------------------- .. code-block:: console usage: barbican secret store [-h] [-f {html,json,shell,table,value,yaml}] [-c COLUMN] [--max-width ] [--noindent] [--prefix PREFIX] [--name NAME] [--payload PAYLOAD] [--secret-type SECRET_TYPE] [--payload-content-type PAYLOAD_CONTENT_TYPE] [--payload-content-encoding PAYLOAD_CONTENT_ENCODING] [--algorithm ALGORITHM] [--bit-length BIT_LENGTH] [--mode MODE] [--expiration EXPIRATION] Store a secret in Barbican. **Optional arguments:** ``-h, --help`` show this help message and exit ``--name NAME, -n NAME`` a human-friendly name. ``--payload PAYLOAD, -p PAYLOAD`` the unencrypted secret; if provided, you must also provide a payload_content_type ``--secret-type SECRET_TYPE, -s SECRET_TYPE`` the secret type; must be one of symmetric, public, private, certificate, passphrase, opaque (default) ``--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE`` the type/format of the provided secret data; "text/plain" is assumed to be UTF-8; required when :option:`--payload` is supplied. ``--payload-content-encoding PAYLOAD_CONTENT_ENCODING, -e PAYLOAD_CONTENT_ENCODING`` required if :option:`--payload-content-type` is "application /octet-stream". ``--algorithm ALGORITHM, -a ALGORITHM`` the algorithm (default: aes). ``--bit-length BIT_LENGTH, -b BIT_LENGTH`` the bit length (default: 256). ``--mode MODE, -m MODE`` the algorithm mode; used only for reference (default: cbc) ``--expiration EXPIRATION, -x EXPIRATION`` the expiration time for the secret in ISO 8601 format. .. _barbican_secret_update: barbican secret update ---------------------- .. code-block:: console usage: barbican secret update [-h] URI payload Update a secret with no payload in Barbican. **Positional arguments:** ``URI`` The URI reference for the secret. ``payload`` the unencrypted secret **Optional arguments:** ``-h, --help`` show this help message and exit