Using token only to generate a new config (for later usage) requires at least one read operation to bind the token and fully populate config.json
In order to retrieve secrets, you must first initialize the secrets manager client.
The NewSecretsManager function will initialize Secrets Manager from provided parameters and store settings from ClientOptions struct.
Retrieve Secrets
Response
Type:[]*Record
Records with the specified UIDs, or all records shared with the Secrets Manager client if no UIDs are provided
Example Usage
Retrieve all Secrets
Retrieve Secrets with a Filter
Retrieve Secrets by Title
Example Usage
Get Values From a Secret
Get a Password
secret.GetFieldsByType("password")
clientOptions := &ksm.ClientOptions{
Token: "[One Time Access Token]",
Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
sm := ksm.NewSecretsManager(clientOptions)
// Get all records
allRecords, err := sm.GetSecrets([]string{})
if err != nil {
println("Error retrieving all records: ", err.Error())
os.Exit(1)
}
// Get first record
firstRecord := allRecords[0]
// Get first field in a record of type password
passwordField := map[string]interface{}{}
if passwordFields := firstRecord.GetFieldsByType("password"); len(passwordFields) > 0 {
passwordField = passwordFields[0]
}
Retrieve Values using Keeper Notation
sm.GetNotation(query)
clientOptions := &ksm.ClientOptions{
Token: "[One Time Access Token]",
Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
sm := ksm.NewSecretsManager(clientOptions)
// Get password from record with the given UID
value, err := sm.GetNotation("[Record UID]/field/password")
if err == nil && len(value) > 0 {
if password, ok := value[0].(string); ok {
println("Successfully retrieved field value using notation")
}
}
Parameter
Type
Required
Default
Description
query
String
Yes
Keeper Notation query for getting a value from a specified field
Returns
Type: []interface{}
The value of the queried field
Retrieve TOTP Code
GetTotpCode(url)
clientOptions := &ksm.ClientOptions{
Token: "[One Time Access Token]",
Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
sm := ksm.NewSecretsManager(clientOptions)
// Get all records
allRecords, err := sm.GetSecrets([]string{})
if err == nil {
// Get TOTP url from record
urls, err := sm.GetNotation("[Record UID]/field/OneTimeCode")
if err == nil && len(urls) == 1 {
// Get TOTP code from url
url := urls[0].(string)
totp, err := ksm.GetTotpCode(url)
if err == nil {
println(totp.Code, totp.TimeLeft)
}
}
}
Parameter
Type
Required
Default
Description
url
string
Yes
TOTP Url
Update a Secret
Record update commands don't update local record data on success (esp. updated record revision) so any consecutive updates to an already updated record will fail due to revision mismatch. Make sure to reload all updated records after each update batch.
Update Password
(r *Record) SetPassword(password string)
Parameter
Type
Required
Default
Description
password
string
Yes
New password to set to the record
Update Other Fields
(r *Record) SetFieldValueSingle(field string, value string)
Update Secret in Vault
Save the record to make the changes made appear in the
Example Usage
Update Password
Update other fields
Generate a Random Password
Each parameter indicates the minimum number of a type of character to include. For example, uppercase indicates the minimum uppercase letters to include.
Download a File
Response
Type:bool
Did the file save succeed
Example Usage
Upload a File
Example Usage
Create a Secret
Prerequisites:
Shared folder UID
Shared folder must be accessible by the Secrets Manager Application
You and the Secrets Manager application must have edit permission
There must be at least one record in the shared folder
Created records and record fields must be formatted correctly
TOTP fields accept only URL generated outside of the KSM SDK
This example creates a login type record with a login value and a generated password.
Replace [FOLDER UID] in the example with the UID of a shared folder that your Secrets Manager has access to.
// create a new login record
newLoginRecord := NewRecordCreate("login", "Sample KSM Record: Go SDK")
// fill in login and password fields
password, _ := GeneratePassword(32,0,0,0,0)
newLoginRecord.Fields = append(newLoginRecord.Fields,
NewLogin("username@email.com"),
NewPassword(password))
// fill in notes
newLoginRecord.Notes = "This is a Go record creation example"
// create the new record
recordUid, err := secretsManager.CreateSecretWithRecordData("", "[FOLDER UID]", newLoginRecord)
Replace [FOLDER UID] in the example with the UID of a shared folder that your Secrets Manager has access to.
This example creates a record with a custom record type.
customLogin := ksm.NewRecordCreate("Custom Login", "Sample Custom Type KSM Record: Go SDK")
password, _ := ksm.GeneratePassword(32, 0, 0, 0, 0)
customLogin.Fields = append(customLogin.Fields,
ksm.NewHosts(ksm.Host{Hostname: "127.0.0.1", Port: "8080"}),
ksm.NewLogin("login@email.com"),
ksm.NewPassword(password),
ksm.NewUrl("http://localhost:8080/login"),
ksm.NewSecurityQuestions(ksm.SecurityQuestion{Question: "What is one plus one (write just a number)", Answer: "2"}),
ksm.NewPhones(ksm.Phone{Region: "US", Number: "510-444-3333", Ext: "2345", Type: "Mobile"}),
ksm.NewDate(1641934793000),
ksm.NewNames(ksm.Name{First: "John", Middle: "Patrick", Last: "Smith"}),
ksm.NewOneTimeCode("otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example"),
)
customLogin.Custom = append(customLogin.Custom,
ksm.NewPhones(ksm.Phone{Region: "US", Number: "510-222-5555", Ext: "99887", Type: "Mobile"}),
ksm.NewPhones(ksm.Phone{Region: "US", Number: "510-111-3333", Ext: "45674", Type: "Mobile"}),
)
customLogin.Notes = "\tThis custom type record was created\n\tvia Go SDK copied from https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/golang-sdk"
recordUid, err := sm.CreateSecretWithRecordData("", "[FOLDER UID]", customLogin)
Delete a Secret
The Go KSM SDK can delete records in the Keeper Vault.
secretsManager.DeleteSecrets(recordUids)
Parameter
Type
Required
recordUids
[]string
Yes
import ksm "github.com/keeper-security/secrets-manager-go/core"
func main() {
// setup secrets manager
options := &ksm.ClientOptions{
// Token: "<One Time Access Token>",
Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
secretsManager := ksm.NewSecretsManager(options)
// delete a specific secret by record UID
secrets, err = secretsManager.DeleteSecrets([]string{"EG6KdJaaLG7esRZbMnfbFA"})
}
Caching
To protect against losing access to your secrets when network access is lost, the Go SDK allows caching of secrets to the local machine in an encrypted file.
Setup and Configure Cache
In order to setup caching in the Go SDK, use the function SetCache(cache ICache) to set the cache to either one of the built-in memory or file based caches or use your own implementation.
The Go SDK includes a memory based cache and a file based cache for convenience.
options := &ksm.ClientOptions{Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
sm := ksm.NewSecretsManager(options)
// Memory based cache
memCache := ksm.NewMemoryCache()
sm.SetCache(memCache)
// File based cache
fileCache := ksm.NewFileCache("ksm_cache.bin")
sm.SetCache(fileCache)
Folders
Folders have full CRUD support - create, read, update and delete operations.
Read Folders
Downloads full folder hierarchy.
GetFolders() ([]*KeeperFolder, error)
Response
Type:[]*KeeperFolder, error
Example Usage
package main
import ksm "github.com/keeper-security/secrets-manager-go/core"
func main() {
options := &ksm.ClientOptions{Config: ksm.NewFileKeyValueStorage("ksm-config.json")}
sm := ksm.NewSecretsManager(options)
folders, err := sm.GetFolders()
}
Create a Folder
Requires CreateOptions and folder name to be provided. The folder UID parameter in CreateOptions is required - UID of a shared folder, while sub-folder UID is optional and if missing new regular folder is created directly under the parent (shared folder). There's no requirement for the sub-folder to be a direct descendant of the parent shared folder - it could be many levels deep.
Removes a list of folders. Use forceDeletion flag to remove non-empty folders.
When using forceDeletion avoid sending parent with its children folder UIDs. Depending on the delete order you may get an error - ex. if parent force-deleted child first. There's no guarantee that list will always be processed in FIFO order.
Any folders UIDs missing from the vault or not shared to the KSM Application will not result in error.