cmd

package

v0.27.0 Latest Latest Go to latest Published: Dec 2, 2025 License: Apache-2.0 Imports: 26 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/viant/scy

Links

Open Source Insights

README ¶

Scy secure secret store CLI client

Installation

Latest binary can be found in release section

On x64 OSX

wget https://github.com/viant/scy/releases/download/v0.1.0/scy_darwin_x64.tar.gz
tar xvzf scy_darwin_x64.tar.gz
cp scy /usr/local/bin

On x64 Linux

wget https://github.com/viant/scy/releases/download/v0.1.0/scy_linux_x64.tar.gz
tar xvzf scy_darwin_x64.tar.gz
cp scy /usr/local/bin

Usage

scy -h

You can use any afs supported storage, also including the following secret store managers:

GCP Google Secret Manager i.e "gcp://secretmanager/projects/my-project/secrets/my_secret"
AWS - Secret Manager i.e aws://secretmanager/us-west-1/secret/prod/my/mysecret1
AWS - System Manager - Parameter i.e aws://ssm/us-west-1/parameter/myParamX

To use AWS make the following files are present

~/.aws/config
[default]
region = us-west-1

~/.aws/credentials
[default]
aws_access_key_id = KEY HERE
aws_secret_access_key = SECRET HERE

To use GCP auth

export GOOGLE_APPLICATION_CREDENTIALS=myGoogle.secret

Securing (creating) secrets

Notes:

-d/--dest is any afs URL (local path, GCP Secret Manager, AWS Secret Manager/SSM, etc.).
-k/--key is the KMS key reference (e.g., blowfish://default, gcp://kms/...).
-s/--src can point to a JSON file with the target payload. For raw, basic, and key, you can omit -s to be prompted interactively.

Raw (text)

Interactive entry (prompts twice):

scy secure -d=gcp://secretmanager/projects/viant-e2e/secrets/my_raw_secret1 -k=blowfish://default -t=raw

From file:

scy secure -s=./mysecret.txt -d=gcp://secretmanager/projects/acme/secrets/raw1 -k=blowfish://default -t=raw

Key (env key/value)

Interactive entry for key id and secret:

scy secure -d=./secret_key.json -k=blowfish://default -t=key

From file (secret_key.json):

{"Key":"MY_API_KEY","Secret":"super-secret"}

scy secure -s=secret_key.json -d=gcp://secretmanager/projects/acme/secrets/api_key -k=blowfish://default -t=key

Basic credential

Interactive entry for username/password:

scy secure -d=./basic.json -k=blowfish://default -t=basic

From file (unsecure_cred.json):

{"Username":"alice","Password":"p@ssw0rd","Email":"alice@example.com"}

scy secure -s=unsecure_cred.json -d=secure_cred.json -k=blowfish://default -t=basic

SHA1

From file (mySHA1.json):

{"IntegrityKey":"base64encodedIntegrityKey","Key":"base64encodedKey"}

scy secure -s=mySHA1.json -d=gcp://secretmanager/projects/myProject/secrets/my_secret1 -k=blowfish://default -t=sha1

SSH

From file (ssh.json):

{
  "Username": "ubuntu",
  "Password": "",
  "PrivateKeyPath": "~/.ssh/id_rsa",
  "PrivateKeyPassword": "optional-passphrase"
}

scy secure -s=ssh.json -d=gcp://secretmanager/projects/acme/secrets/ssh1 -k=blowfish://default -t=ssh

You can also inline a private key payload (PEM) as PrivateKeyPayload instead of PrivateKeyPath.

AWS

From file (aws.json):

{
  "Id": "aws-user-id",
  "Region": "us-west-1",
  "Endpoint": "",
  "Session": {"RoleArn":"arn:aws:iam::123456789012:role/MyRole","Name":"my-session"},
  "Key": "AWS_ACCESS_KEY_ID",
  "Secret": "AWS_SECRET_ACCESS_KEY"
}

scy secure -s=aws.json -d=aws://secretmanager/us-west-1/secret/prod/my/app -k=blowfish://default -t=aws

Generic

Generic can hold Basic, SecretKey, SSH, or JWT fields. Example with basic-style fields (generic.json):

{"Username":"svcuser","Password":"svcpass"}

scy secure -s=generic.json -d=gcp://secretmanager/projects/acme/secrets/generic1 -k=blowfish://default -t=generic

JWT config

From file (jwt.json):

{
  "client_email": "svc@project.iam.gserviceaccount.com",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "private_key_id": "abcd1234",
  "token_url": "https://oauth2.googleapis.com/token"
}

scy secure -s=jwt.json -d=gcp://secretmanager/projects/acme/secrets/jwtcfg -k=blowfish://default -t=jwt

OAuth2 config

From file (oauth2.json):

{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_url": "http://localhost/callback",
  "endpoint": {"auth_url":"https://provider/authorize","token_url":"https://provider/token"}
}

scy secure -s=oauth2.json -d=gcp://secretmanager/projects/acme/secrets/oauth2cfg -k=blowfish://default -t=oauth2

Revealing secrets

Prints decrypted value or JSON (when structured):

# Raw
scy reveal -s=gcp://secretmanager/projects/viant-e2e/secrets/my_raw_secret1 -k=blowfish://default -t=raw

# Key
scy reveal -s=./secret_key.json -k=blowfish://default -t=key

# Basic
scy reveal -s=secure_cred.json -k=blowfish://default -t=basic

# SHA1
scy reveal -s=gcp://secretmanager/projects/myProject/secrets/my_secret1 -k=blowfish://default -t=sha1

# SSH
scy reveal -s=gcp://secretmanager/projects/acme/secrets/ssh1 -k=blowfish://default -t=ssh

# AWS
scy reveal -s=aws://secretmanager/us-west-1/secret/prod/my/app -k=blowfish://default -t=aws

# Generic
scy reveal -s=gcp://secretmanager/projects/acme/secrets/generic1 -k=blowfish://default -t=generic

# JWT config
scy reveal -s=gcp://secretmanager/projects/acme/secrets/jwtcfg -k=blowfish://default -t=jwt

# OAuth2 config
scy reveal -s=gcp://secretmanager/projects/acme/secrets/oauth2cfg -k=blowfish://default -t=oauth2

JWT helpers

Sign claims (from JSON file):

echo '{"user_id":123,"email":"dev@viantinc.com"}' > claims.json
scy signJwt -s=claims.json -r=./private.scy -k=blowfish://default -e=3600

Verify token:

scy verifyJwt -s=./token.txt -r=./public.scy -k=blowfish://default

Verify Firebase token:

scy verifyJwt -s=./token.txt --firebase -p=my-gcp-project

OAuth2 authorization

Start an OAuth2 flow using a stored config and basic creds:

scy authorize -a=Browser \
  -c=gcp://secretmanager/projects/acme/secrets/oauth2cfg|blowfish://default \
  -e=gcp://secretmanager/projects/acme/secrets/basic.json|blowfish://default \
  -s=https://www.googleapis.com/auth/cloud-platform \
  --usePKCE

Documentation ¶

Index ¶

func Auth(auth *AuthCmd) error
func AuthFirebase(auth *AuthCmd) error
func Authorize(auth *AuthorizeCmd) error
func Reveal(reveal *RevealCmd) error
func Run(args []string)
func RunWithCommands(args []string)
func Secure(secure *SecureCmd) error
func SignJwtClaim(sign *SignJwtCmd) error
func VerifyFirebaseJwtClaim(ctx context.Context, verify *VerifyJwtCmd) error
func VerifyJwtClaim(verify *VerifyJwtCmd) error
type AuthCmd
- func (a *AuthCmd) Execute(args []string) error
- func (a *AuthCmd) Init()
- func (a *AuthCmd) Validate() error
type AuthorizeCmd
- func (a *AuthorizeCmd) Execute(args []string) error
- func (a *AuthorizeCmd) Init()
- func (a *AuthorizeCmd) Validate() error
type Options
- func (options *Options) Init(args string)
type RevealCmd
- func (r *RevealCmd) Execute(args []string) error
- func (r *RevealCmd) Init()
- func (r *RevealCmd) Validate() error
type SecureCmd
- func (s *SecureCmd) Execute(args []string) error
- func (s *SecureCmd) Init()
- func (s *SecureCmd) Validate() error
type SignJwtCmd
- func (s *SignJwtCmd) Execute(args []string) error
- func (s *SignJwtCmd) Init()
- func (s *SignJwtCmd) Validate() error
type TypedSource
type VerifyJwtCmd
- func (v *VerifyJwtCmd) Execute(args []string) error
- func (v *VerifyJwtCmd) Init()
- func (v *VerifyJwtCmd) Validate() error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Auth ¶ added in v0.9.0

func Auth(auth *AuthCmd) error

Auth handles authentication

func AuthFirebase ¶ added in v0.9.0

func AuthFirebase(auth *AuthCmd) error

AuthFirebase handles Firebase authentication

func Authorize ¶ added in v0.20.0

func Authorize(auth *AuthorizeCmd) error

Authorize handles authorization

func Reveal ¶

func Reveal(reveal *RevealCmd) error

Reveal reveals secret

func Run ¶

func Run(args []string)

func RunWithCommands ¶ added in v0.20.0

func RunWithCommands(args []string)

RunWithCommands runs the command-based CLI

func Secure ¶

func Secure(secure *SecureCmd) error

Secure secures secrets

func SignJwtClaim ¶ added in v0.2.1

func SignJwtClaim(sign *SignJwtCmd) error

SignJwtClaim signs JWT claims

func VerifyFirebaseJwtClaim ¶ added in v0.9.0

func VerifyFirebaseJwtClaim(ctx context.Context, verify *VerifyJwtCmd) error

VerifyFirebaseJwtClaim verifies Firebase JWT claims

func VerifyJwtClaim ¶ added in v0.2.1

func VerifyJwtClaim(verify *VerifyJwtCmd) error

VerifyJwtClaim verifies JWT claims

Types ¶

type AuthCmd ¶ added in v0.20.0

type AuthCmd struct {
	TypedSource

	Firebase  bool   `short:"f" long:"firebase" description:"firebase"`
	Key       string `short:"k" long:"key" description:"key i.e blowfish://default"`
	ProjectId string `short:"p" long:"projectId" description:"project id"`
}

AuthCmd command for authentication

func (*AuthCmd) Execute ¶ added in v0.20.0

func (a *AuthCmd) Execute(args []string) error

Execute runs the auth command

func (*AuthCmd) Init ¶ added in v0.20.0

func (a *AuthCmd) Init()

Init normalizes file locations

func (*AuthCmd) Validate ¶ added in v0.20.0

func (a *AuthCmd) Validate() error

Validate validates the auth command options

type AuthorizeCmd ¶ added in v0.20.0

type AuthorizeCmd struct {
	AuthFlow   string   `short:"a" long:"authFlow" description:"authentication flow (Browser or OOB)" choice:"OOB" choice:"Browser" `
	ConfigURL  string   `short:"c" long:"configURL" description:"OAuth2 config URL"`
	SecretsURL string   `short:"e" long:"secretsURL" description:"secrets URL for username/password"`
	Scopes     []string `short:"s" long:"scopes" description:"OAuth2 scopes"`
	UsePKCE    bool     `short:"p" long:"usePKCE" description:"use PKCE for OAuth2 flow"`
	Key        string   `short:"k" long:"key" description:"key i.e blowfish://default"`
}

AuthorizeCmd command for authorization

func (*AuthorizeCmd) Execute ¶ added in v0.20.0

func (a *AuthorizeCmd) Execute(args []string) error

Execute runs the authorize command

func (*AuthorizeCmd) Init ¶ added in v0.20.0

func (a *AuthorizeCmd) Init()

Init normalizes file locations

func (*AuthorizeCmd) Validate ¶ added in v0.20.0

func (a *AuthorizeCmd) Validate() error

Validate validates the authorize command options

type Options ¶

type Options struct {
	Secure    *SecureCmd    `command:"secure" description:"secures secrets"`
	Reveal    *RevealCmd    `command:"reveal" description:"reveals secrets"`
	SignJwt   *SignJwtCmd   `command:"signJwt" description:"sign JWT"`
	VerifyJwt *VerifyJwtCmd `command:"verifyJwt" description:"verify JWT"`
	Authorize *AuthorizeCmd `command:"authorize" description:"authorize using OAuth2"`
}

Options is the main command structure with command annotations

func (*Options) Init ¶ added in v0.5.0

func (options *Options) Init(args string)

Init normalizes file locations

type RevealCmd ¶ added in v0.20.0

type RevealCmd struct {
	TypedSource
	Key string `short:"k" long:"key" description:"key i.e blowfish://default"`
}

RevealCmd command for revealing secrets

func (*RevealCmd) Execute ¶ added in v0.20.0

func (r *RevealCmd) Execute(args []string) error

Execute runs the reveal command

func (*RevealCmd) Init ¶ added in v0.20.0

func (r *RevealCmd) Init()

Init normalizes file locations

func (*RevealCmd) Validate ¶ added in v0.20.0

func (r *RevealCmd) Validate() error

Validate validates the reveal command options

type SecureCmd ¶ added in v0.20.0

type SecureCmd struct {
	TypedSource
	DestURL string `short:"d" long:"dest" description:"dest location"`
	Key     string `short:"k" long:"key" description:"key i.e blowfish://default"`
}

func (*SecureCmd) Execute ¶ added in v0.20.0

func (s *SecureCmd) Execute(args []string) error

Execute runs the secure command

func (*SecureCmd) Init ¶ added in v0.20.0

func (s *SecureCmd) Init()

Init normalizes file locations

func (*SecureCmd) Validate ¶ added in v0.20.0

func (s *SecureCmd) Validate() error

Validate validates the secure command options

type SignJwtCmd ¶ added in v0.20.0

type SignJwtCmd struct {
	TypedSource
	RSAKey    string `short:"r" long:"rsa" description:"private/public key location"`
	HMacKey   string `short:"a" long:"hmac" description:"hmac key location (base64 encoded)"`
	ExpirySec int    `short:"e" long:"expiry" description:"expiry TTL in sec"`
	Key       string `short:"k" long:"key" description:"key i.e blowfish://default"`
}

SignJwtCmd command for signing JWT tokens

func (*SignJwtCmd) Execute ¶ added in v0.20.0

func (s *SignJwtCmd) Execute(args []string) error

Execute runs the signJwt command

func (*SignJwtCmd) Init ¶ added in v0.20.0

func (s *SignJwtCmd) Init()

Init normalizes file locations

func (*SignJwtCmd) Validate ¶ added in v0.20.0

func (s *SignJwtCmd) Validate() error

Validate validates the signJwt command options

type TypedSource ¶ added in v0.20.0

type TypedSource struct {
	SourceURL string `short:"s" long:"src" description:"source location"`
	Target    string `` /* 192-byte string literal not displayed */
}

type VerifyJwtCmd ¶ added in v0.20.0

type VerifyJwtCmd struct {
	TypedSource
	RSAKey    string `short:"r" long:"rsa" description:"private/public key location"`
	HMacKey   string `short:"a" long:"hmac" description:"hmac key location (base64 encoded)"`
	Firebase  bool   `short:"f" long:"firebase" description:"firebase"`
	Key       string `short:"k" long:"key" description:"key i.e blowfish://default"`
	ProjectId string `short:"p" long:"projectId" description:"project id"`
}

VerifyJwtCmd command for verifying JWT tokens

func (*VerifyJwtCmd) Execute ¶ added in v0.20.0

func (v *VerifyJwtCmd) Execute(args []string) error

Execute runs the verifyJwt command

func (*VerifyJwtCmd) Init ¶ added in v0.20.0

func (v *VerifyJwtCmd) Init()

Init normalizes file locations

func (*VerifyJwtCmd) Validate ¶ added in v0.20.0

func (v *VerifyJwtCmd) Validate() error

Validate validates the verifyJwt command options

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL