From ccceb8408d08fdafbecc62eb13880269df77d8ec Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 8 Jun 2026 17:41:18 +0000 Subject: [PATCH 1/2] Update store_types.json for all:latest --- cmd/store_types.json | 155 ++++++++++++++++++++++++++++++++++--------- store_types.json | 155 ++++++++++++++++++++++++++++++++++--------- 2 files changed, 246 insertions(+), 64 deletions(-) diff --git a/cmd/store_types.json b/cmd/store_types.json index 24e67854..719c5a00 100644 --- a/cmd/store_types.json +++ b/cmd/store_types.json @@ -447,6 +447,34 @@ "ClientMachineDescription": "This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth.", "StorePathDescription": "A single specified AWS Region the store will operate in. Additional regions should get their own store defined." }, + { + "Name": "Airlock Application Firewall Certificate", + "ShortName": "AirlockWAF", + "Capability": "AirlockWAF", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": true, + "Enrollment": false, + "Remove": false + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Required", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Allowed" + }, { "Name": "Akamai Certificate Provisioning Service", "ShortName": "Akamai", @@ -999,7 +1027,22 @@ "PrivateKeyAllowed": "Optional", "JobProperties": [], "Properties": [], - "EntryParameters": [] + "EntryParameters": [ + { + "Name": "VirtualServiceBindings", + "DisplayName": "Virtual Service Bindings", + "Type": "String", + "DefaultValue": "", + "DependsOn": "", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Description": "Comma-separated list of virtual service bindings in 'virtId:servicePort' format. Each binding identifies the virtual server ID and the service port to which the certificate should be bound. Example: '1:443' for a single binding, or '1:443,2:443,my-virt:8443' for multiple bindings. Returned during inventory to show which virtual services each certificate is currently bound to." + } + ] }, { "Name": "Azure Application Gateway Certificate Binding", @@ -1271,14 +1314,6 @@ "DefaultValue": "public,china,germany,government", "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DefaultValue": "true", - "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", - "Required": true } ], "PasswordOptions": { @@ -1465,14 +1500,6 @@ "DefaultValue": "public,china,germany,government", "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DefaultValue": "true", - "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", - "Required": true } ], "PasswordOptions": { @@ -2054,7 +2081,7 @@ "SupportedOperations": { "Add": true, "Create": false, - "Discovery": false, + "Discovery": true, "Enrollment": false, "Remove": false }, @@ -2131,7 +2158,7 @@ ], "EntryParameters": [], "ClientMachineDescription": "The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access. For SSH Access, Port 22 will be used.", - "StorePathDescription": "The Store Path field should always be / unless we later determine there are alternate locations needed.", + "StorePathDescription": "The store path uses the format domain\\directory (e.g., default\\pubcert, production-api\\cert). The Discovery job can automatically find all valid store paths on an appliance.", "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -2772,7 +2799,55 @@ "Name": "tags", "DisplayName": "Tags", "Type": "String", - "Description": "One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN", + "Description": "An optional list of one-to-many comma delimited Organization level tag Key:Value combinations. Values should be entered as tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "labels", + "DisplayName": "Labels", + "Type": "String", + "Description": "An optional list of one-to-many comma delimited label key:value pairs to assign to the secret. Values should be entered as key1:value1,key2:value2,...,keyN:valueN.", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "replicationRegions", + "DisplayName": "Replication Regions", + "Type": "String", + "Description": "An optional list of valid comma delimited GCP regions to replicate secrets to (user managed replication). If left blank, GCP default behavior (automatic replication) will be executed. Values can also be entered as region1:path1,region2:path2,...,regionN:pathN if providing a kmsKeyName path for each region is desired.", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "ttlDuration", + "DisplayName": "TTL Duration", + "Type": "String", + "Description": "An optional number of days to provide after which a secret will be deleted. If not provided, secret will stay around until explicitly deleted.", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "versionDestroyTtlDuration", + "DisplayName": "Version Destroy TTL Duration", + "Type": "String", + "Description": "An optional number of days to provide after a secret is destroyed that its versions will stay around. If not provided, versions will be permanently destroyed when the secret is destroyed.", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, @@ -2841,10 +2916,10 @@ "PowerShell": false, "PrivateKeyAllowed": "Required", "StorePathType": "", - "StorePathValue": "n/a", + "StorePathValue": "", "SupportedOperations": { "Add": true, - "Create": true, + "Create": false, "Discovery": true, "Enrollment": false, "Remove": true @@ -2857,28 +2932,44 @@ "Properties": [ { "Name": "Location", - "DisplayName": "Location", + "DisplayName": "Location (deprecated)", "Type": "String", "DependsOn": "", - "DefaultValue": "global", - "Required": true, + "DefaultValue": "", + "Required": false, "IsPAMEligible": false, - "Description": "The GCP region used for this Certificate Manager instance. **global** is the default but could be another region based on the project." + "Description": "**Deprecated in v1.2.** The GCP location is parsed from Store Path. Leave blank for new stores. v1.1-shape stores (where Store Path is blank or `n/a`) still read this value as a fallback; expect a deprecation warning in the orchestrator log when that path is used." }, { "Name": "ServiceAccountKey", - "DisplayName": "Service Account Key File Path", + "DisplayName": "Service Account Key File Path (deprecated)", "Type": "String", "DependsOn": "", "DefaultValue": "", "Required": false, "IsPAMEligible": false, - "Description": "The file name of the Google Cloud Service Account Key File installed in the same folder as the orchestrator extension. Empty if the orchestrator server resides in GCP and you are not using a service account key." + "Description": "**Deprecated in v1.2.** Leave blank. Authenticate via Application Default Credentials instead (set `GOOGLE_APPLICATION_CREDENTIALS` as a machine-level environment variable on the orchestrator host pointing at the JSON key, or run on a GCE VM / GKE pod with workload identity). The Discovery job has no way to surface this custom property in Keyfactor Command's discovery-job UI, so ADC is the only mechanism that works uniformly across all four job types. v1.1 stores that have this populated continue to work via a deprecation-logged fallback; the field is scheduled for removal in v2.0." } ], - "ClientMachineDescription": "GCP Project ID for your account.", - "StorePathDescription": "This is not used and should be defaulted to n/a per the certificate store type set up.", - "EntryParameters": [] + "ClientMachineDescription": "Display label for grouping certificate stores in Keyfactor Command. Recommended value is the GCP Organization ID (e.g. `1005564431893`); the orchestrator does not parse a project ID out of this field. The actual GCP project + location are read from Store Path.", + "StorePathDescription": "Canonical GCP resource path in the form `projects/{projectId}/locations/{location}` (e.g. `projects/edgecerts/locations/global`). This is the single source of truth for which Certificate Manager instance the store targets. For Discovery-approved stores Keyfactor Command auto-fills this from the discovered candidate; for manually-created stores the operator types it directly.", + "EntryParameters": [ + { + "Name": "Scope", + "DisplayName": "Certificate Scope", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "DEFAULT", + "Options": "DEFAULT,ALL_REGIONS,EDGE_CACHE,CLIENT_AUTH", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Description": "GCP Certificate Manager `scope` for this certificate entry. Allowed: `DEFAULT` (global external Application Load Balancers), `ALL_REGIONS` (cross-region internal Application Load Balancers), `EDGE_CACHE` (Media CDN), `CLIENT_AUTH` (mTLS trust configs / authorized client server certs). **Immutable in GCP** - once a certificate is created with a given scope, GCP refuses to change it. Inventory persists the existing scope back from GCP so renewals carry it forward automatically. A single store can hold certs at different scopes (the field is per-entry, not store-wide)." + } + ] }, { "Name": "Hashicorp Vault Key-Value", @@ -3657,7 +3748,7 @@ "Description": "This should be no value or `kubeconfig`", "Type": "Secret", "DependsOn": "", - "DefaultValue": "", + "DefaultValue": null, "Required": false }, { diff --git a/store_types.json b/store_types.json index 24e67854..719c5a00 100644 --- a/store_types.json +++ b/store_types.json @@ -447,6 +447,34 @@ "ClientMachineDescription": "This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth.", "StorePathDescription": "A single specified AWS Region the store will operate in. Additional regions should get their own store defined." }, + { + "Name": "Airlock Application Firewall Certificate", + "ShortName": "AirlockWAF", + "Capability": "AirlockWAF", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": true, + "Enrollment": false, + "Remove": false + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Required", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Allowed" + }, { "Name": "Akamai Certificate Provisioning Service", "ShortName": "Akamai", @@ -999,7 +1027,22 @@ "PrivateKeyAllowed": "Optional", "JobProperties": [], "Properties": [], - "EntryParameters": [] + "EntryParameters": [ + { + "Name": "VirtualServiceBindings", + "DisplayName": "Virtual Service Bindings", + "Type": "String", + "DefaultValue": "", + "DependsOn": "", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Description": "Comma-separated list of virtual service bindings in 'virtId:servicePort' format. Each binding identifies the virtual server ID and the service port to which the certificate should be bound. Example: '1:443' for a single binding, or '1:443,2:443,my-virt:8443' for multiple bindings. Returned during inventory to show which virtual services each certificate is currently bound to." + } + ] }, { "Name": "Azure Application Gateway Certificate Binding", @@ -1271,14 +1314,6 @@ "DefaultValue": "public,china,germany,government", "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DefaultValue": "true", - "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", - "Required": true } ], "PasswordOptions": { @@ -1465,14 +1500,6 @@ "DefaultValue": "public,china,germany,government", "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DefaultValue": "true", - "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", - "Required": true } ], "PasswordOptions": { @@ -2054,7 +2081,7 @@ "SupportedOperations": { "Add": true, "Create": false, - "Discovery": false, + "Discovery": true, "Enrollment": false, "Remove": false }, @@ -2131,7 +2158,7 @@ ], "EntryParameters": [], "ClientMachineDescription": "The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access. For SSH Access, Port 22 will be used.", - "StorePathDescription": "The Store Path field should always be / unless we later determine there are alternate locations needed.", + "StorePathDescription": "The store path uses the format domain\\directory (e.g., default\\pubcert, production-api\\cert). The Discovery job can automatically find all valid store paths on an appliance.", "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -2772,7 +2799,55 @@ "Name": "tags", "DisplayName": "Tags", "Type": "String", - "Description": "One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN", + "Description": "An optional list of one-to-many comma delimited Organization level tag Key:Value combinations. Values should be entered as tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "labels", + "DisplayName": "Labels", + "Type": "String", + "Description": "An optional list of one-to-many comma delimited label key:value pairs to assign to the secret. Values should be entered as key1:value1,key2:value2,...,keyN:valueN.", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "replicationRegions", + "DisplayName": "Replication Regions", + "Type": "String", + "Description": "An optional list of valid comma delimited GCP regions to replicate secrets to (user managed replication). If left blank, GCP default behavior (automatic replication) will be executed. Values can also be entered as region1:path1,region2:path2,...,regionN:pathN if providing a kmsKeyName path for each region is desired.", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "ttlDuration", + "DisplayName": "TTL Duration", + "Type": "String", + "Description": "An optional number of days to provide after which a secret will be deleted. If not provided, secret will stay around until explicitly deleted.", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "versionDestroyTtlDuration", + "DisplayName": "Version Destroy TTL Duration", + "Type": "String", + "Description": "An optional number of days to provide after a secret is destroyed that its versions will stay around. If not provided, versions will be permanently destroyed when the secret is destroyed.", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, @@ -2841,10 +2916,10 @@ "PowerShell": false, "PrivateKeyAllowed": "Required", "StorePathType": "", - "StorePathValue": "n/a", + "StorePathValue": "", "SupportedOperations": { "Add": true, - "Create": true, + "Create": false, "Discovery": true, "Enrollment": false, "Remove": true @@ -2857,28 +2932,44 @@ "Properties": [ { "Name": "Location", - "DisplayName": "Location", + "DisplayName": "Location (deprecated)", "Type": "String", "DependsOn": "", - "DefaultValue": "global", - "Required": true, + "DefaultValue": "", + "Required": false, "IsPAMEligible": false, - "Description": "The GCP region used for this Certificate Manager instance. **global** is the default but could be another region based on the project." + "Description": "**Deprecated in v1.2.** The GCP location is parsed from Store Path. Leave blank for new stores. v1.1-shape stores (where Store Path is blank or `n/a`) still read this value as a fallback; expect a deprecation warning in the orchestrator log when that path is used." }, { "Name": "ServiceAccountKey", - "DisplayName": "Service Account Key File Path", + "DisplayName": "Service Account Key File Path (deprecated)", "Type": "String", "DependsOn": "", "DefaultValue": "", "Required": false, "IsPAMEligible": false, - "Description": "The file name of the Google Cloud Service Account Key File installed in the same folder as the orchestrator extension. Empty if the orchestrator server resides in GCP and you are not using a service account key." + "Description": "**Deprecated in v1.2.** Leave blank. Authenticate via Application Default Credentials instead (set `GOOGLE_APPLICATION_CREDENTIALS` as a machine-level environment variable on the orchestrator host pointing at the JSON key, or run on a GCE VM / GKE pod with workload identity). The Discovery job has no way to surface this custom property in Keyfactor Command's discovery-job UI, so ADC is the only mechanism that works uniformly across all four job types. v1.1 stores that have this populated continue to work via a deprecation-logged fallback; the field is scheduled for removal in v2.0." } ], - "ClientMachineDescription": "GCP Project ID for your account.", - "StorePathDescription": "This is not used and should be defaulted to n/a per the certificate store type set up.", - "EntryParameters": [] + "ClientMachineDescription": "Display label for grouping certificate stores in Keyfactor Command. Recommended value is the GCP Organization ID (e.g. `1005564431893`); the orchestrator does not parse a project ID out of this field. The actual GCP project + location are read from Store Path.", + "StorePathDescription": "Canonical GCP resource path in the form `projects/{projectId}/locations/{location}` (e.g. `projects/edgecerts/locations/global`). This is the single source of truth for which Certificate Manager instance the store targets. For Discovery-approved stores Keyfactor Command auto-fills this from the discovered candidate; for manually-created stores the operator types it directly.", + "EntryParameters": [ + { + "Name": "Scope", + "DisplayName": "Certificate Scope", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "DEFAULT", + "Options": "DEFAULT,ALL_REGIONS,EDGE_CACHE,CLIENT_AUTH", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Description": "GCP Certificate Manager `scope` for this certificate entry. Allowed: `DEFAULT` (global external Application Load Balancers), `ALL_REGIONS` (cross-region internal Application Load Balancers), `EDGE_CACHE` (Media CDN), `CLIENT_AUTH` (mTLS trust configs / authorized client server certs). **Immutable in GCP** - once a certificate is created with a given scope, GCP refuses to change it. Inventory persists the existing scope back from GCP so renewals carry it forward automatically. A single store can hold certs at different scopes (the field is per-entry, not store-wide)." + } + ] }, { "Name": "Hashicorp Vault Key-Value", @@ -3657,7 +3748,7 @@ "Description": "This should be no value or `kubeconfig`", "Type": "Secret", "DependsOn": "", - "DefaultValue": "", + "DefaultValue": null, "Required": false }, { From f19858d8e3c4aeeceb4845da2794d09a2c0cc108 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 10 Jun 2026 01:05:48 +0000 Subject: [PATCH 2/2] Update store_types.json for all:latest --- cmd/store_types.json | 531 +++++++++++++++++++++++++++++++++++++++++++ store_types.json | 531 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1062 insertions(+) diff --git a/cmd/store_types.json b/cmd/store_types.json index 719c5a00..462125e3 100644 --- a/cmd/store_types.json +++ b/cmd/store_types.json @@ -447,6 +447,537 @@ "ClientMachineDescription": "This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth.", "StorePathDescription": "A single specified AWS Region the store will operate in. Additional regions should get their own store defined." }, + { + "Name": "AwsSecretsManager JKS", + "ShortName": "AWSSMJKS", + "Capability": "AWSSMJKS", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "UseDefaultSdkAuth", + "DisplayName": "Use Default SDK Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use Default SDK credentials" + }, + { + "Name": "DefaultSdkAssumeRole", + "DisplayName": "Assume new Role using Default SDK Auth", + "Type": "Bool", + "DependsOn": "UseDefaultSdkAuth", + "DefaultValue": "false", + "Required": false, + "IsPAMEligible": false, + "Description": "A switch to enable the store to assume a new Role when using Default SDK credentials" + }, + { + "Name": "UseOAuth", + "DisplayName": "Use OAuth 2.0 Provider", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS" + }, + { + "Name": "OAuthScope", + "DisplayName": "OAuth Scope", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta" + }, + { + "Name": "OAuthGrantType", + "DisplayName": "OAuth Grant Type", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "client_credentials", + "Required": false, + "IsPAMEligible": false, + "Description": "In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials`" + }, + { + "Name": "OAuthUrl", + "DisplayName": "OAuth Url", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "https://***/oauth2/default/v1/token", + "Required": false, + "IsPAMEligible": false, + "Description": "The token endpoint for the OAuth 2.0 provider" + }, + { + "Name": "OAuthClientId", + "DisplayName": "OAuth Client ID", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client ID for OAuth." + }, + { + "Name": "OAuthClientSecret", + "DisplayName": "OAuth Client Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client Secret for OAuth." + }, + { + "Name": "UseIAM", + "DisplayName": "Use IAM User Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS" + }, + { + "Name": "IAMUserAccessKey", + "DisplayName": "IAM User Access Key", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Key for an IAM User" + }, + { + "Name": "IAMUserAccessSecret", + "DisplayName": "IAM User Access Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Secret for an IAM User." + }, + { + "Name": "ExternalId", + "DisplayName": "sts:ExternalId", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" + } + ], + "EntryParameters": [ + { + "Name": "CertificateTags", + "DisplayName": "Certificate Tags", + "Description": "If desired, tags can be applied to the certificate entries in AWS Secrets Manager. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}'", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + }, + { + "Name": "ReplicaRegions", + "DisplayName": "Replica Regions", + "Description": "To replicate secrets to other regions, you can provide them here as a JSON array in the format: [{ 'KmsKeyId': ''}, {...}]", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "The store path contains the AWS region where the SecretsManager resides. It can optionally accept values for tags OR path prefix for identifying secrets to be managed by the cert store instance. example:'us-east-2 [prefix='dev/midwest']' or 'us-east1 [tagName='managedBy' tagValue='keyfactor']' ", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "AwsSecretsManager PEM", + "ShortName": "AWSSMPEM", + "Capability": "AWSSMPEM", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "UseDefaultSdkAuth", + "DisplayName": "Use Default SDK Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use Default SDK credentials" + }, + { + "Name": "DefaultSdkAssumeRole", + "DisplayName": "Assume new Role using Default SDK Auth", + "Type": "Bool", + "DependsOn": "UseDefaultSdkAuth", + "DefaultValue": "false", + "Required": false, + "IsPAMEligible": false, + "Description": "A switch to enable the store to assume a new Role when using Default SDK credentials" + }, + { + "Name": "UseOAuth", + "DisplayName": "Use OAuth 2.0 Provider", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS" + }, + { + "Name": "OAuthScope", + "DisplayName": "OAuth Scope", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta" + }, + { + "Name": "OAuthGrantType", + "DisplayName": "OAuth Grant Type", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "client_credentials", + "Required": false, + "IsPAMEligible": false, + "Description": "In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials`" + }, + { + "Name": "OAuthUrl", + "DisplayName": "OAuth Url", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "https://***/oauth2/default/v1/token", + "Required": false, + "IsPAMEligible": false, + "Description": "The token endpoint for the OAuth 2.0 provider" + }, + { + "Name": "OAuthClientId", + "DisplayName": "OAuth Client ID", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client ID for OAuth." + }, + { + "Name": "OAuthClientSecret", + "DisplayName": "OAuth Client Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client Secret for OAuth." + }, + { + "Name": "UseIAM", + "DisplayName": "Use IAM User Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS" + }, + { + "Name": "IAMUserAccessKey", + "DisplayName": "IAM User Access Key", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Key for an IAM User" + }, + { + "Name": "IAMUserAccessSecret", + "DisplayName": "IAM User Access Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Secret for an IAM User." + }, + { + "Name": "ExternalId", + "DisplayName": "sts:ExternalId", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" + } + ], + "EntryParameters": [ + { + "Name": "CertificateTags", + "DisplayName": "Certificate Tags", + "Description": "If desired, tags can be applied to the certificate entries in AWS Secrets Manager. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}'", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + }, + { + "Name": "ReplicaRegions", + "DisplayName": "Replica Regions", + "Description": "To replicate secrets to other regions, you can provide them here as a JSON array in the format: [{ 'KmsKeyId': ''}, {...}]", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "The store path contains the AWS region where the SecretsManager resides. It can optionally accept values for tags OR path prefix for identifying secrets to be managed by the cert store instance. example:'us-east-2 [prefix='dev/midwest']' or 'us-east1 [tagName='managedBy' tagValue='keyfactor']' ", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "AwsSecretsManager PFX", + "ShortName": "AWSSMPFX", + "Capability": "AWSSMPFX", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "UseDefaultSdkAuth", + "DisplayName": "Use Default SDK Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use Default SDK credentials" + }, + { + "Name": "DefaultSdkAssumeRole", + "DisplayName": "Assume new Role using Default SDK Auth", + "Type": "Bool", + "DependsOn": "UseDefaultSdkAuth", + "DefaultValue": "false", + "Required": false, + "IsPAMEligible": false, + "Description": "A switch to enable the store to assume a new Role when using Default SDK credentials" + }, + { + "Name": "UseOAuth", + "DisplayName": "Use OAuth 2.0 Provider", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS" + }, + { + "Name": "OAuthScope", + "DisplayName": "OAuth Scope", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta" + }, + { + "Name": "OAuthGrantType", + "DisplayName": "OAuth Grant Type", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "client_credentials", + "Required": false, + "IsPAMEligible": false, + "Description": "In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials`" + }, + { + "Name": "OAuthUrl", + "DisplayName": "OAuth Url", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "https://***/oauth2/default/v1/token", + "Required": false, + "IsPAMEligible": false, + "Description": "The token endpoint for the OAuth 2.0 provider" + }, + { + "Name": "OAuthClientId", + "DisplayName": "OAuth Client ID", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client ID for OAuth." + }, + { + "Name": "OAuthClientSecret", + "DisplayName": "OAuth Client Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client Secret for OAuth." + }, + { + "Name": "UseIAM", + "DisplayName": "Use IAM User Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS" + }, + { + "Name": "IAMUserAccessKey", + "DisplayName": "IAM User Access Key", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Key for an IAM User" + }, + { + "Name": "IAMUserAccessSecret", + "DisplayName": "IAM User Access Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Secret for an IAM User." + }, + { + "Name": "ExternalId", + "DisplayName": "sts:ExternalId", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" + } + ], + "EntryParameters": [ + { + "Name": "CertificateTags", + "DisplayName": "Certificate Tags", + "Description": "If desired, tags can be applied to the certificate entries in AWS Secrets Manager. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}'", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + }, + { + "Name": "ReplicaRegions", + "DisplayName": "Replica Regions", + "Description": "To replicate secrets to other regions, you can provide them here as a JSON array in the format: [{ 'KmsKeyId': ''}, {...}]", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "The store path contains the AWS region where the SecretsManager resides. It can optionally accept values for tags OR path prefix for identifying secrets to be managed by the cert store instance. example:'us-east-2 [prefix='dev/midwest']' or 'us-east1 [tagName='managedBy' tagValue='keyfactor']' ", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "Airlock Application Firewall Certificate", "ShortName": "AirlockWAF", diff --git a/store_types.json b/store_types.json index 719c5a00..462125e3 100644 --- a/store_types.json +++ b/store_types.json @@ -447,6 +447,537 @@ "ClientMachineDescription": "This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth.", "StorePathDescription": "A single specified AWS Region the store will operate in. Additional regions should get their own store defined." }, + { + "Name": "AwsSecretsManager JKS", + "ShortName": "AWSSMJKS", + "Capability": "AWSSMJKS", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "UseDefaultSdkAuth", + "DisplayName": "Use Default SDK Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use Default SDK credentials" + }, + { + "Name": "DefaultSdkAssumeRole", + "DisplayName": "Assume new Role using Default SDK Auth", + "Type": "Bool", + "DependsOn": "UseDefaultSdkAuth", + "DefaultValue": "false", + "Required": false, + "IsPAMEligible": false, + "Description": "A switch to enable the store to assume a new Role when using Default SDK credentials" + }, + { + "Name": "UseOAuth", + "DisplayName": "Use OAuth 2.0 Provider", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS" + }, + { + "Name": "OAuthScope", + "DisplayName": "OAuth Scope", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta" + }, + { + "Name": "OAuthGrantType", + "DisplayName": "OAuth Grant Type", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "client_credentials", + "Required": false, + "IsPAMEligible": false, + "Description": "In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials`" + }, + { + "Name": "OAuthUrl", + "DisplayName": "OAuth Url", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "https://***/oauth2/default/v1/token", + "Required": false, + "IsPAMEligible": false, + "Description": "The token endpoint for the OAuth 2.0 provider" + }, + { + "Name": "OAuthClientId", + "DisplayName": "OAuth Client ID", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client ID for OAuth." + }, + { + "Name": "OAuthClientSecret", + "DisplayName": "OAuth Client Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client Secret for OAuth." + }, + { + "Name": "UseIAM", + "DisplayName": "Use IAM User Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS" + }, + { + "Name": "IAMUserAccessKey", + "DisplayName": "IAM User Access Key", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Key for an IAM User" + }, + { + "Name": "IAMUserAccessSecret", + "DisplayName": "IAM User Access Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Secret for an IAM User." + }, + { + "Name": "ExternalId", + "DisplayName": "sts:ExternalId", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" + } + ], + "EntryParameters": [ + { + "Name": "CertificateTags", + "DisplayName": "Certificate Tags", + "Description": "If desired, tags can be applied to the certificate entries in AWS Secrets Manager. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}'", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + }, + { + "Name": "ReplicaRegions", + "DisplayName": "Replica Regions", + "Description": "To replicate secrets to other regions, you can provide them here as a JSON array in the format: [{ 'KmsKeyId': ''}, {...}]", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "The store path contains the AWS region where the SecretsManager resides. It can optionally accept values for tags OR path prefix for identifying secrets to be managed by the cert store instance. example:'us-east-2 [prefix='dev/midwest']' or 'us-east1 [tagName='managedBy' tagValue='keyfactor']' ", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "AwsSecretsManager PEM", + "ShortName": "AWSSMPEM", + "Capability": "AWSSMPEM", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "UseDefaultSdkAuth", + "DisplayName": "Use Default SDK Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use Default SDK credentials" + }, + { + "Name": "DefaultSdkAssumeRole", + "DisplayName": "Assume new Role using Default SDK Auth", + "Type": "Bool", + "DependsOn": "UseDefaultSdkAuth", + "DefaultValue": "false", + "Required": false, + "IsPAMEligible": false, + "Description": "A switch to enable the store to assume a new Role when using Default SDK credentials" + }, + { + "Name": "UseOAuth", + "DisplayName": "Use OAuth 2.0 Provider", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS" + }, + { + "Name": "OAuthScope", + "DisplayName": "OAuth Scope", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta" + }, + { + "Name": "OAuthGrantType", + "DisplayName": "OAuth Grant Type", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "client_credentials", + "Required": false, + "IsPAMEligible": false, + "Description": "In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials`" + }, + { + "Name": "OAuthUrl", + "DisplayName": "OAuth Url", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "https://***/oauth2/default/v1/token", + "Required": false, + "IsPAMEligible": false, + "Description": "The token endpoint for the OAuth 2.0 provider" + }, + { + "Name": "OAuthClientId", + "DisplayName": "OAuth Client ID", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client ID for OAuth." + }, + { + "Name": "OAuthClientSecret", + "DisplayName": "OAuth Client Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client Secret for OAuth." + }, + { + "Name": "UseIAM", + "DisplayName": "Use IAM User Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS" + }, + { + "Name": "IAMUserAccessKey", + "DisplayName": "IAM User Access Key", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Key for an IAM User" + }, + { + "Name": "IAMUserAccessSecret", + "DisplayName": "IAM User Access Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Secret for an IAM User." + }, + { + "Name": "ExternalId", + "DisplayName": "sts:ExternalId", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" + } + ], + "EntryParameters": [ + { + "Name": "CertificateTags", + "DisplayName": "Certificate Tags", + "Description": "If desired, tags can be applied to the certificate entries in AWS Secrets Manager. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}'", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + }, + { + "Name": "ReplicaRegions", + "DisplayName": "Replica Regions", + "Description": "To replicate secrets to other regions, you can provide them here as a JSON array in the format: [{ 'KmsKeyId': ''}, {...}]", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "The store path contains the AWS region where the SecretsManager resides. It can optionally accept values for tags OR path prefix for identifying secrets to be managed by the cert store instance. example:'us-east-2 [prefix='dev/midwest']' or 'us-east1 [tagName='managedBy' tagValue='keyfactor']' ", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "AwsSecretsManager PFX", + "ShortName": "AWSSMPFX", + "Capability": "AWSSMPFX", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "UseDefaultSdkAuth", + "DisplayName": "Use Default SDK Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use Default SDK credentials" + }, + { + "Name": "DefaultSdkAssumeRole", + "DisplayName": "Assume new Role using Default SDK Auth", + "Type": "Bool", + "DependsOn": "UseDefaultSdkAuth", + "DefaultValue": "false", + "Required": false, + "IsPAMEligible": false, + "Description": "A switch to enable the store to assume a new Role when using Default SDK credentials" + }, + { + "Name": "UseOAuth", + "DisplayName": "Use OAuth 2.0 Provider", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS" + }, + { + "Name": "OAuthScope", + "DisplayName": "OAuth Scope", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta" + }, + { + "Name": "OAuthGrantType", + "DisplayName": "OAuth Grant Type", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "client_credentials", + "Required": false, + "IsPAMEligible": false, + "Description": "In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials`" + }, + { + "Name": "OAuthUrl", + "DisplayName": "OAuth Url", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "https://***/oauth2/default/v1/token", + "Required": false, + "IsPAMEligible": false, + "Description": "The token endpoint for the OAuth 2.0 provider" + }, + { + "Name": "OAuthClientId", + "DisplayName": "OAuth Client ID", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client ID for OAuth." + }, + { + "Name": "OAuthClientSecret", + "DisplayName": "OAuth Client Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The Client Secret for OAuth." + }, + { + "Name": "UseIAM", + "DisplayName": "Use IAM User Auth", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS" + }, + { + "Name": "IAMUserAccessKey", + "DisplayName": "IAM User Access Key", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Key for an IAM User" + }, + { + "Name": "IAMUserAccessSecret", + "DisplayName": "IAM User Access Secret", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "The AWS Access Secret for an IAM User." + }, + { + "Name": "ExternalId", + "DisplayName": "sts:ExternalId", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls" + } + ], + "EntryParameters": [ + { + "Name": "CertificateTags", + "DisplayName": "Certificate Tags", + "Description": "If desired, tags can be applied to the certificate entries in AWS Secrets Manager. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}'", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + }, + { + "Name": "ReplicaRegions", + "DisplayName": "Replica Regions", + "Description": "To replicate secrets to other regions, you can provide them here as a JSON array in the format: [{ 'KmsKeyId': ''}, {...}]", + "Type": "string", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "The store path contains the AWS region where the SecretsManager resides. It can optionally accept values for tags OR path prefix for identifying secrets to be managed by the cert store instance. example:'us-east-2 [prefix='dev/midwest']' or 'us-east1 [tagName='managedBy' tagValue='keyfactor']' ", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "Airlock Application Firewall Certificate", "ShortName": "AirlockWAF",