Test OCI (Oracle Cloud Infrastructure) Vault Secret
- https://github.com/oracle/oci-python-sdk/blob/master/examples/kms_example.py
- https://www.ateam-oracle.com/secure-way-of-managing-secrets-in-oci
assume oci cli working
test an old cli script to list buckets
$ ./list_buckets.sh
{
"data": [
{
"compartment-id": "*masked*",
"created-by": "*masked*",
"defined-tags": null,
"etag": "*masked*",
"freeform-tags": null,
"name": "bucket-20200217-1256",
"namespace": "*masked*",
"time-created": "2020-02-17T18:56:07.773000+00:00"
}
]
}test old python script
$ python3 show_user.py
{
"capabilities": {
"can_use_api_keys": true,
"can_use_auth_tokens": true,
"can_use_console_password": true,
"can_use_customer_secret_keys": true,
"can_use_o_auth2_client_credentials": true,
"can_use_smtp_credentials": true
},
"compartment_id": "*masked*",
"defined_tags": {},
"description": "*masked*",
"email": "*masked*",
"external_identifier": null,
"freeform_tags": {},
"id": "*masked*",
"identity_provider_id": null,
"inactive_status": null,
"is_mfa_activated": false,
"lifecycle_state": "ACTIVE",
"name": "*masked*",
"time_created": "2020-02-11T18:24:37.809000+00:00"
}create secret in console
- Security > Vault > testvault
- Create key rr
- Create secret rr
test python code
$ python3 check-secret.py *masked*
Reading vaule of secret_id *masked*.
Decoded content of the secret is: blah.test cli
$ oci vault secret list --compartment-id *masked*
"data": [
{
"compartment-id": "*masked*",
"defined-tags": {
"Oracle-Tags": {
"CreatedBy": "*masked*",
"CreatedOn": "2020-05-19T19:13:52.028Z"
}
},
"description": "test",
"freeform-tags": {},
"id": "*masked*",
"key-id": "*masked*",
"lifecycle-details": null,
"lifecycle-state": "ACTIVE",
"secret-name": "rr",
"time-created": "2020-05-19T19:13:51.804000+00:00",
"time-of-current-version-expiry": null,
"time-of-deletion": null,
"vault-id": "*masked*"
}
]
}
$ oci vault secret get --secret-id *masked*
{
"data": {
"compartment-id": "*masked*",
"current-version-number": 1,
"defined-tags": {
"Oracle-Tags": {
"CreatedBy": "*masked*",
"CreatedOn": "2020-05-19T19:13:52.028Z"
}
},
"description": "test",
"freeform-tags": {},
"id": "*masked*",
"key-id": "*masked*",
"lifecycle-details": null,
"lifecycle-state": "ACTIVE",
"metadata": null,
"secret-name": "rr",
"secret-rules": [],
"time-created": "2020-05-19T19:13:51.804000+00:00",
"time-of-current-version-expiry": null,
"time-of-deletion": null,
"vault-id": "*masked*"
},
"etag": "*masked*"
}
$ oci secrets secret-bundle get --secret-id *masked*
{
"data": {
"metadata": null,
"secret-bundle-content": {
"content": "YmxhaA==",
"content-type": "BASE64"
},
"secret-id": "*masked*",
"stages": [
"CURRENT",
"LATEST"
],
"time-created": "2020-05-19T19:13:51.804000+00:00",
"time-of-deletion": null,
"time-of-expiry": null,
"version-name": null,
"version-number": 1
},
"etag": "*masked*--gzip"
}
$ echo YmxhaA== | base64 --decode
blahone liner
$ oci secrets secret-bundle get --secret-id ocid1.vaultsecret.oc1.phx.*masked* --query "data .{s:\"secret-bundle-content\"}" | jq -r '.s.content' | base64 --decode
blah