diff options
| author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-01-13 16:22:46 +0100 |
|---|---|---|
| committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-06-08 14:09:18 +0200 |
| commit | bbfb25f4b923bde7bcff7ef69e6e83e90440e704 (patch) | |
| tree | 225f6e17270b20239288da4566d294531ae59024 /docs/CREDENTIALS.md | |
| parent | execute: Make credential_search_path() more flexible (diff) | |
| download | systemd-bbfb25f4b923bde7bcff7ef69e6e83e90440e704.tar.xz systemd-bbfb25f4b923bde7bcff7ef69e6e83e90440e704.zip | |
creds: Add ImportCredential=
ImportCredential= takes a credential name and searches for a matching
credential in all the credential stores we know about it. It supports
globs which are expanded so that all matching credentials are loaded.
Diffstat (limited to 'docs/CREDENTIALS.md')
| -rw-r--r-- | docs/CREDENTIALS.md | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/docs/CREDENTIALS.md b/docs/CREDENTIALS.md index 083c7ecc3c..2f6bdd44b2 100644 --- a/docs/CREDENTIALS.md +++ b/docs/CREDENTIALS.md @@ -72,6 +72,9 @@ Within unit files, there are four settings to configure service credentials. 1. `LoadCredential=` may be used to load a credential from disk, from an `AF_UNIX` socket, or propagate them from a system credential. +2. `ImportCredential=` may be used to load one or more (encrypted) credentials + from disk or from the credential stores. + 2. `SetCredential=` may be used to set a credential to a literal string encoded in the unit file. Because unit files are world-readable (both on disk and via D-Bus), this should only be used for credentials that aren't sensitive, @@ -323,7 +326,7 @@ systemd-creds --system cat mycred Or propagated to services further down: ``` -systemd-run -p LoadCredential=mycred -P --wait systemd-creds cat mycred +systemd-run -p ImportCredential=mycred -P --wait systemd-creds cat mycred ``` ## Well-Known Credentials @@ -430,13 +433,14 @@ a container manager or via qemu) and `/run/credentials/@encrypted/` (for credentials that must be decrypted/validated before use, such as those from `systemd-stub`). -The `LoadCredential=` and `LoadCredentialEncrypted=` settings when configured -with a relative source path will search for the source file to read the -credential from automatically. Primarily, these credentials are searched among -the credentials passed into the system. If not found there, they are searched -in `/etc/credstore/`, `/run/credstore/`, +The `ImportCredential=` setting (and the `LoadCredential=` and +`LoadCredentialEncrypted=` settings when configured with a relative source path) +will search for the source file to read the credential from automatically. Primarily, +these credentials are searched among the credentials passed into the system. If +not found there, they are searched in `/etc/credstore/`, `/run/credstore/`, `/usr/lib/credstore/`. `LoadCredentialEncrypted=` will also search -`/etc/credstore.encrypted/` and similar directories. These directories are +`/etc/credstore.encrypted/` and similar directories. `ImportCredential` will search +both the non-encrypted and encrypted directories. These directories are hence a great place to store credentials to load on the system. ## Conditionalizing Services |