Secrets and SSH Keys
SSH Keys/Secrets are used to store sensitive data used in Commands and Files and private SSH keys.
Note
A single entity is used for both types to employ a generic approach to sensitive data management.
Access Rules
| Group | Action | Condition |
|---|---|---|
| User | - | No access |
| Manager | R | Any type: user is added in "Users" or "Managers" |
| Manager | R | Type is "SSH Key": user is added in "Users" or "Managers" in related Server |
| Manager | R | Type is "Secret" |
| Manager | CRU | Any type: user is added in "Managers" |
| Manager | CRU | Type is "SSH Key": user is added in "Managers" in related Server |
| Manager | CRUD | Any type: user is added in "Managers" and the record is created by the user |
| Manager | CRUD | Type is "SSH Key": user is added in "Managers" in related Server and the record is created by the user |
| Root | CRUD | Any record |
Info
CRUD stands for Create, Read, Update, Delete.
SSH Keys/Secrets are located under the Cetmix Tower > Settings > Keys and Secrets menu.
SSH Key
Used to store SSH private keys. They are selectable in Server settings.
Fields
| Field | Description |
|---|---|
| Name | Readable name |
| Reference | Used for Odoo automation and YAML export/import. Leave blank to generate it automatically. |
| Reference Code | Complete reference code for inline usage in Commands and Files. |
| Key Type | Is "SSH Key" for this type of record. |
| Note | Put your notes here. |
Notebook Tabs
| Tab | Description |
|---|---|
| Key Value | Key value. Please check the note below for more information. |
| Used For | List of Servers where this SSH key is used |
| Access | Access Roles for this record for specific users. |
Warning
Key Value is a write-only field. Please ensure that you have saved your secret before saving it. Once saved, it becomes inaccessible from the user interface.
Secret
Used to store sensitive information that can be used inline in commands, e.g., a token or a password. Secrets cannot be previewed in command preview and are replaced with a placeholder in Command logs.
| Field | Description |
|---|---|
| Name | Readable name |
| Reference | Used for Odoo automation and YAML export/import. Leave blank to generate it automatically. |
| Reference Code | Complete reference code for inline usage in Commands and Files. |
| Key Type | Is "Secret" for this type of record. |
| Partner | Secret type only. If selected, this secret is used only for the selected partner Servers. |
| Server | Secret type only. If selected, this secret is used only for the selected Server. |
| Note | Put your notes here. |
Notebook Tabs
| Tab | Description |
|---|---|
| Secret Value | List of secret values. Values marked as "Global" are used if no partner or server is selected. |
| Access | Access Roles for this record for specific users. |
Warning
Secret Value is a write-only field. Please ensure that you have saved your secret before saving it. Once saved, it becomes inaccessible from the user interface.
Secret Value Priority
When a secret is parsed, its value is searched in the following order:
- Server and partner specific. Both "Server" and "Partner" fields match the current server and partner.
- Server specific. "Server" field matches the current server, "Partner" field is not set.
- Partner specific. "Partner" field matches the current partner, "Server" field is not set.
- Global. Both "Server" and "Partner" fields are not set.
Secrets are inserted inline in code using the following pattern: #!cxtower.secret.reference!#. It consists of three dot-separated parts and is terminated with a mandatory !# suffix:
#!cxtoweris a special prefix that indicates that the following text is a Cetmix Tower secret.secretis used to declare its type (secret).referenceis the Reference field value.
Example
Suppose we have a secret with my_secret_dir reference and value suchMuchFolder. In this case, the following command:
mkdir /home/#!cxtower.secret.my_secret_dir!#
will be executed as:
mkdir /home/suchMuchFolder
YAML Format Specification
cetmix_tower_model: key
reference: such_much_secret
key_type: s # s for secret, k for ssh key
name: 'Such Much Secret'
Info
Secret values cannot be exported or imported using YAML. They must be saved manually in the UI.
Please refer to the General YAML Format Specification for more details.