Chapter 16. Key Manager Service Command-line Client (Technology Preview)
4.1.0.
$barbicanhelpCOMMAND
16.1. barbican Usage
usage: barbican [--version] [-v | -q] [--log-file LOG_FILE] [-h] [--debug]
[--no-auth] [--os-identity-api-version <identity-api-version>]
[--os-auth-url <auth-url>] [--os-username <auth-user-name>]
[--os-user-id <auth-user-id>] [--os-password <auth-password>]
[--os-user-domain-id <auth-user-domain-id>]
[--os-user-domain-name <auth-user-domain-name>]
[--os-tenant-name <auth-tenant-name>]
[--os-tenant-id <tenant-id>]
[--os-project-id <auth-project-id>]
[--os-project-name <auth-project-name>]
[--os-project-domain-id <auth-project-domain-id>]
[--os-project-domain-name <auth-project-domain-name>]
[--os-auth-token <auth-token>] [--endpoint <barbican-url>]
[--interface <barbican-interface>]
[--service-type <barbican-service-type>]
[--service-name <barbican-service-name>]
[--region-name <barbican-region-name>]
[--barbican-api-version <barbican-api-version>] [--insecure]
[--os-cacert <ca-certificate>] [--os-cert <certificate>]
[--os-key <key>] [--timeout <seconds>]16.2. barbican Optional Arguments
- --version
show program's version number and exit
- -v, --verbose
Increase verbosity of output. Can be repeated.
- -q, --quiet
Suppress output except warnings and errors.
- --log-file LOG_FILE
Specify a file to log output. Disabled by default.
- -h, --help
Show help message and exit.
- --debug
Show tracebacks on errors.
- --no-auth, -N
Do not use authentication.
- --os-identity-api-version <identity-api-version>
Specify Identity API version to use. Defaults to
env[OS_IDENTITY_API_VERSION]or 3.
- --os-auth-url <auth-url>, -A <auth-url>
Defaults toenv[OS_AUTH_URL].
- --os-username <auth-user-name>, -U <auth-user-name>
Defaults toenv[OS_USERNAME].
- --os-user-id <auth-user-id>
Defaults toenv[OS_USER_ID].
- --os-password <auth-password>, -P <auth-password>
Defaults toenv[OS_PASSWORD].
- --os-user-domain-id <auth-user-domain-id>
Defaults toenv[OS_USER_DOMAIN_ID].
- --os-user-domain-name <auth-user-domain-name>
Defaults toenv[OS_USER_DOMAIN_NAME].
- --os-tenant-name <auth-tenant-name>, -T <auth-tenant-name>
Defaults toenv[OS_TENANT_NAME].
- --os-tenant-id <tenant-id>, -I <tenant-id>
Defaults toenv[OS_TENANT_ID].
- --os-project-id <auth-project-id>
Another way to specify tenant ID. This option is
mutually exclusive with --os-tenant-id. Defaults to
env[OS_PROJECT_ID].
- --os-project-name <auth-project-name>
Another way to specify tenant name. This option is
mutually exclusive with --os-tenant-name. Defaults to
env[OS_PROJECT_NAME].
- --os-project-domain-id <auth-project-domain-id>
Defaults toenv[OS_PROJECT_DOMAIN_ID].
- --os-project-domain-name <auth-project-domain-name>
Defaults toenv[OS_PROJECT_DOMAIN_NAME].
- --os-auth-token <auth-token>
Defaults toenv[OS_AUTH_TOKEN].
- --endpoint <barbican-url>, -E <barbican-url>
Defaults toenv[BARBICAN_ENDPOINT].
- --interface <barbican-interface>
Defaults toenv[BARBICAN_INTERFACE].
- --service-type <barbican-service-type>
Defaults toenv[BARBICAN_SERVICE_TYPE].
- --service-name <barbican-service-name>
Defaults toenv[BARBICAN_SERVICE_NAME].
- --region-name <barbican-region-name>
Defaults toenv[BARBICAN_REGION_NAME].
- --barbican-api-version <barbican-api-version>
Defaults toenv[BARBICAN_API_VERSION].
- --insecure
Explicitly allow client to perform "insecure" TLS
(https) requests. The server's certificate will not be
verified against any certificate authorities. This
option should be used with caution.
- --os-cacert <ca-certificate>
Specify a CA bundle file to use in verifying a TLS
(https) server certificate. Defaults to
env[OS_CACERT].
- --os-cert <certificate>
Defaults toenv[OS_CERT].
- --os-key <key>
Defaults toenv[OS_KEY].
- --timeout <seconds>
Set request timeout (in seconds).
16.3. barbican acl delete
usage: barbican acl delete [-h] URI
Positional arguments
- URI
The URI reference for the secret or container.
Optional arguments
- -h, --help
show this help message and exit
16.4. barbican acl get
usage: barbican acl get [-h] [-f {csv,json,table,value,yaml}] [-c COLUMN]
[--max-width <integer>] [--noindent]
[--quote {all,minimal,none,nonnumeric}]
URIPositional arguments
- URI
The URI reference for the secret or container.
Optional arguments
- -h, --help
show this help message and exit
16.5. barbican acl submit
usage: barbican acl submit [-h] [-f {csv,json,table,value,yaml}] [-c COLUMN]
[--max-width <integer>] [--noindent]
[--quote {all,minimal,none,nonnumeric}]
[--user [USERS]]
[--project-access | --no-project-access]
[--operation-type {read}]
URIPositional arguments
- URI
The URI reference for the secret or container.
Optional arguments
- -h, --help
show this help message and exit
- --user [USERS], -u [USERS]
Keystone userid(s) for ACL.
- --project-access
Flag to enable project access behavior.
- --no-project-access
Flag to disable project access behavior.
- --operation-type {read}, -o {read}
Type of Barbican operation ACL is set for
16.6. barbican acl user add
usage: barbican acl user add [-h] [-f {csv,json,table,value,yaml}] [-c COLUMN]
[--max-width <integer>] [--noindent]
[--quote {all,minimal,none,nonnumeric}]
[--user [USERS]]
[--project-access | --no-project-access]
[--operation-type {read}]
URIPositional arguments
- URI
The URI reference for the secret or container.
Optional arguments
- -h, --help
show this help message and exit
- --user [USERS], -u [USERS]
Keystone userid(s) for ACL.
- --project-access
Flag to enable project access behavior.
- --no-project-access
Flag to disable project access behavior.
- --operation-type {read}, -o {read}
Type of Barbican operation ACL is set for
16.7. barbican acl user remove
usage: barbican acl user remove [-h] [-f {csv,json,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--noindent]
[--quote {all,minimal,none,nonnumeric}]
[--user [USERS]]
[--project-access | --no-project-access]
[--operation-type {read}]
URIPositional arguments
- URI
The URI reference for the secret or container.
Optional arguments
- -h, --help
show this help message and exit
- --user [USERS], -u [USERS]
Keystone userid(s) for ACL.
- --project-access
Flag to enable project access behavior.
- --no-project-access
Flag to disable project access behavior.
- --operation-type {read}, -o {read}
Type of Barbican operation ACL is set for
16.8. barbican ca get
usage: barbican ca get [-h] [-f {json,shell,table,value,yaml}] [-c COLUMN]
[--max-width <integer>] [--noindent] [--prefix PREFIX]
URIPositional arguments
- URI
The URI reference for the CA.
Optional arguments
- -h, --help
show this help message and exit
16.9. barbican ca list
usage: barbican ca list [-h] [-f {csv,json,table,value,yaml}] [-c COLUMN]
[--max-width <integer>] [--noindent]
[--quote {all,minimal,none,nonnumeric}]
[--limit LIMIT] [--offset OFFSET] [--name NAME]Optional arguments
- -h, --help
show this help message and exit
- --limit LIMIT, -l LIMIT
specify the limit to the number of items to list per
page (default: 10; maximum: 100)
- --offset OFFSET, -o OFFSET
specify the page offset (default: 0)
- --name NAME, -n NAME
specify the secret name (default: None)
16.10. barbican secret container create
usage: barbican secret container create [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--noindent] [--prefix PREFIX]
[--name NAME] [--type TYPE]
[--secret SECRET]Optional arguments
- -h, --help
show this help message and exit
- --name NAME, -n NAME
a human-friendly name.
- --type TYPE
type of container to create (default: generic).
- --secret SECRET, -s SECRET
one secret to store in a container (can be set
multiple times). Example: --secret
"private_key=https://url.test/v1/secrets/1-2-3-4"
16.11. barbican secret container delete
usage: barbican secret container delete [-h] URI
Positional arguments
- URI
The URI reference for the container
Optional arguments
- -h, --help
show this help message and exit
16.12. barbican secret container get
usage: barbican secret container get [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--noindent] [--prefix PREFIX]
URIPositional arguments
- URI
The URI reference for the container.
Optional arguments
- -h, --help
show this help message and exit
16.13. barbican secret container list
usage: barbican secret container list [-h] [-f {csv,json,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--noindent]
[--quote {all,minimal,none,nonnumeric}]
[--limit LIMIT] [--offset OFFSET]
[--name NAME] [--type TYPE]Optional arguments
- -h, --help
show this help message and exit
- --limit LIMIT, -l LIMIT
specify the limit to the number of items to list per
page (default: 10; maximum: 100)
- --offset OFFSET, -o OFFSET
specify the page offset (default: 0)
- --name NAME, -n NAME
specify the container name (default: None)
- --type TYPE, -t TYPE
specify the type filter for the list (default: None).
16.14. barbican secret delete
usage: barbican secret delete [-h] URI
Positional arguments
- URI
The URI reference for the secret
Optional arguments
- -h, --help
show this help message and exit
16.15. barbican secret get
usage: barbican secret get [-h] [-f {json,shell,table,value,yaml}] [-c COLUMN]
[--max-width <integer>] [--noindent]
[--prefix PREFIX] [--decrypt] [--payload]
[--payload_content_type PAYLOAD_CONTENT_TYPE]
URIPositional arguments
- URI
The URI reference for the secret.
Optional arguments
- -h, --help
show this help message and exit
- --decrypt, -d
if specified, retrieve the unencrypted secret data;
the data type can be specified with --payload-content-
type.
- --payload, -p
if specified, retrieve the unencrypted secret data;
the data type can be specified with --payload-content-
type. If the user wishes to only retrieve the value of
the payload they must add "-f value" to format
returning only the value of the payload
- --payload_content_type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the content type of the decrypted secret (default:
text/plain.
16.16. barbican secret list
usage: barbican secret list [-h] [-f {csv,json,table,value,yaml}] [-c COLUMN]
[--max-width <integer>] [--noindent]
[--quote {all,minimal,none,nonnumeric}]
[--limit LIMIT] [--offset OFFSET] [--name NAME]
[--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
[--mode MODE]Optional arguments
- -h, --help
show this help message and exit
- --limit LIMIT, -l LIMIT
specify the limit to the number of items to list per
page (default: 10; maximum: 100)
- --offset OFFSET, -o OFFSET
specify the page offset (default: 0)
- --name NAME, -n NAME
specify the secret name (default: None)
- --algorithm ALGORITHM, -a ALGORITHM
the algorithm filter for the list(default: None).
- --bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length filter for the list (default: 0).
- --mode MODE, -m MODE
the algorithm mode filter for the list (default:
None).
16.17. barbican secret order create
usage: barbican secret order create [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--noindent] [--prefix PREFIX]
[--name NAME] [--algorithm ALGORITHM]
[--bit-length BIT_LENGTH] [--mode MODE]
[--payload-content-type PAYLOAD_CONTENT_TYPE]
[--expiration EXPIRATION]
[--request-type REQUEST_TYPE]
[--subject-dn SUBJECT_DN]
[--source-container-ref SOURCE_CONTAINER_REF]
[--ca-id CA_ID] [--profile PROFILE]
[--request-file REQUEST_FILE]
typePositional arguments
- type
the type of the order to create.
Optional arguments
- -h, --help
show this help message and exit
- --name NAME, -n NAME
a human-friendly name.
- --algorithm ALGORITHM, -a ALGORITHM
the algorithm to be used with the requested key
(default: aes).
- --bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length of the requested secret key (default:
256).
- --mode MODE, -m MODE
the algorithm mode to be used with the requested key
(default: cbc).
- --payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the type/format of the secret to be generated
(default: application/octet-stream).
- --expiration EXPIRATION, -x EXPIRATION
the expiration time for the secret in ISO 8601 format.
- --request-type REQUEST_TYPE
the type of the certificate request.
- --subject-dn SUBJECT_DN
the subject of the certificate.
- --source-container-ref SOURCE_CONTAINER_REF
the source of the certificate when using stored-key
requests.
- --ca-id CA_ID
the identifier of the CA to use for the certificate
request.
- --profile PROFILE
the profile of certificate to use.
- --request-file REQUEST_FILE
the file containing the CSR.
16.18. barbican secret order delete
usage: barbican secret order delete [-h] URI
Positional arguments
- URI
The URI reference for the order
Optional arguments
- -h, --help
show this help message and exit
16.19. barbican secret order get
usage: barbican secret order get [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--noindent] [--prefix PREFIX]
URIPositional arguments
- URI
The URI reference order.
Optional arguments
- -h, --help
show this help message and exit
16.20. barbican secret order list
usage: barbican secret order list [-h] [-f {csv,json,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--noindent]
[--quote {all,minimal,none,nonnumeric}]
[--limit LIMIT] [--offset OFFSET]Optional arguments
- -h, --help
show this help message and exit
- --limit LIMIT, -l LIMIT
specify the limit to the number of items to list per
page (default: 10; maximum: 100)
- --offset OFFSET, -o OFFSET
specify the page offset (default: 0)
16.21. barbican secret store
usage: barbican secret store [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>] [--noindent]
[--prefix PREFIX] [--name NAME]
[--payload PAYLOAD] [--secret-type SECRET_TYPE]
[--payload-content-type PAYLOAD_CONTENT_TYPE]
[--payload-content-encoding PAYLOAD_CONTENT_ENCODING]
[--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
[--mode MODE] [--expiration EXPIRATION]Optional arguments
- -h, --help
show this help message and exit
- --name NAME, -n NAME
a human-friendly name.
- --payload PAYLOAD, -p PAYLOAD
the unencrypted secret; if provided, you must also
provide a payload_content_type
- --secret-type SECRET_TYPE, -s SECRET_TYPE
the secret type; must be one of symmetric, public,
private, certificate, passphrase, opaque (default)
- --payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the type/format of the provided secret data;
"text/plain" is assumed to be UTF-8; required when
--payload is supplied.
- --payload-content-encoding PAYLOAD_CONTENT_ENCODING, -e PAYLOAD_CONTENT_ENCODING
required if --payload-content-type is "application
/octet-stream".
- --algorithm ALGORITHM, -a ALGORITHM
the algorithm (default: aes).
- --bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length (default: 256).
- --mode MODE, -m MODE
the algorithm mode; used only for reference (default:
cbc)
- --expiration EXPIRATION, -x EXPIRATION
the expiration time for the secret in ISO 8601 format.
16.22. barbican secret update
usage: barbican secret update [-h] URI payload
Positional arguments
- URI
The URI reference for the secret.
- payload
the unencrypted secret
Optional arguments
- -h, --help
show this help message and exit