acra-addzone #
acra-addzone
is a command-line utility that generates new Zone keys for AcraBlocks/AcraStructs.
Command line flags #
Configuration files #
-
--config_file=<filename>
Path to YAML configuration file.
-
--dump_config
Dump configuration to
configs/acra-addzone.yaml
. -
--generate_markdown_args_table
Generate markdown file with text description of all flags. Output file is
configs/markdown_acra-addzone.md
. Works in a pair with--dump_config
.
Logging #
-
-v
Log to stderr all
INFO
,WARNING
andERROR
logs.
Storage destination #
Filesystem #
-
--keys_output_dir=<path>
Path to keystore directory.
Default is
.acrakeys
.
Redis #
-
--redis_db_keys=<number>
Redis database number to use. Default is
0
. -
--redis_host_port=<host:port>
Address of Redis database to use as keystore. If not specified, Redis is not used.
-
--redis_password=<password>
Password to Redis database.
KMS #
-
--kms_type=<type>
Specify your KMS. Currently supported KMS types:
aws
- AWS Key Management Service
-
--kms_credentials_path=<filepath>
A path to a file with KMS credentials JSON format.
Example of KMS config:
-
AWS:
{"access_key_id":"<access_key_id>","secret_access_key":"<secret_access_key>","region":"<region>"}
HashiCorp Vault #
acra-addzone
can read ACRA_MASTER_KEY
from HashiCorp Vault instead of environment variable.
-
--vault_connection_api_string=<url>
Connection string (like
https://example.com:8200
) for connecting to HashiCorp Vault. If not specified,ACRA_MASTER_KEY
environment variable will be used. -
--vault_secrets_path=<kv-path>
Path to KV Secrets directory in Vault used to store
ACRA_MASTER_KEY
. Default issecret/
. -
--vault_tls_ca_path=<path>
Path to CA certificate bundle to use for HashiCorp Vault certificate validation.
If not specified, use root certificates configured in system.
-
--vault_tls_client_cert=<path>
Path to client TLS certificate used to connect to HashiCorp Vault.
If not specified, don’t send client certificate.
-
--vault_tls_client_key=<path>
Path to the private key of the client TLS certificate used to connect to HashiCorp Vault.
If not specified, don’t send client certificate.
-
--vault_tls_transport_enable={true|false}
Use TLS to encrypt transport with HashiCorp Vault. Default is
false
.
Output #
$ acra-addzone
INFO[0000] Disabling future logs... Set -v to see logs
INFO[0000] Initializing ACRA_MASTER_KEY loader...
INFO[0000] Initialized default env ACRA_MASTER_KEY loader
{"id":"DDDDDDDDlMeojXNMDnMhrFNN","public_key":"VUVDMgAAAC1IbMPQAknSveiUj4xWzi7ZX50uzT+4/cbT7Tz5wZBbyDGAa3u8"}
Logs have written to stderr
and JSON
output with Zone data have written to stdout
. To get only JSON output you can redirect stderr
to /dev/null
:
$ acra-addzone 2>/dev/null
{"id":"DDDDDDDDitpDYzEmbXWbBZzG","public_key":"VUVDMgAAAC1PF4yhAtF0ygbsRlEBMjY0E+9Pp694hauHyQfjC8gVAuOQJ0CX"}