Secret Group Commands
π Manage secret groups in Kavach - create, list, activate, and delete secret groups.
Overviewβ
Secret groups are logical containers that organize related secrets within an organization. Each secret group can contain multiple environments (like development, staging, production) and provides a way to manage access control and organization of your secrets.
Key Conceptsβ
- Secret groups belong to organizations and contain environments
- Each secret group can have multiple environments with different configurations
- Secret groups help organize secrets by project, team, or application
- Access control can be managed at the secret group level
- Secret groups can be activated to set a default context for commands
Resource Hierarchyβ
Organization
βββ Secret Groups
β βββ Environments
β β βββ Secrets
β βββ User Groups
βββ User Groups
Available Rolesβ
| Role | Permissions |
|---|---|
| owner | Full administrative access (create, delete, manage members, grant permissions) |
| admin | Administrative access (manage resources and members, but cannot delete the resource they were granted admin on) |
| editor | Write access (modify resources, but cannot assign permissions to others) |
| viewer | Read-only access (view resources only) |
Role Hierarchyβ
owner > admin > editor > viewer
Key Differences:
- owner: Can do anything including delete, grant permissions, create child resources, and update assigned resources
- admin: Can do everything except delete the resource they were granted admin on (e.g., admin on secret group "myapp" cannot delete secret group "myapp")
- editor: Has write access but cannot assign permissions to others
- viewer: Read-only access only
Commandsβ
kavach group createβ
ποΈ Create a new secret group
Descriptionβ
Create a new secret group within the current organization. When you create a secret group, you automatically become its owner with full administrative privileges.
Key Featuresβ
- You become the owner of the created secret group
- Secret group names must be unique within the organization
- Secret groups can contain multiple environments (dev, staging, prod)
- You can invite other users and assign different roles
- Secret groups help organize secrets by project, team, or application
Usageβ
kavach group create <name> [flags]
Argumentsβ
| Argument | Description | Required |
|---|---|---|
name | Name of the secret group | Yes |
Flagsβ
| Flag | Description | Required | Default |
|---|---|---|---|
--description | Description of the secret group | No | "" |
--organization, -o | Organization under which to create the secret group | No | Active organization |
Examplesβ
# Create secret group with description
kavach group create myapp --description "My application secrets"
# Create secret group without description
kavach group create backend --description "Backend service secrets"
# Create secret group in specific organization
kavach group create frontend --description "Frontend app" --organization mycompany
# Create secret group without description
kavach group create myapp
Example Outputβ
π Secret group 'myapp' created successfully under organization 'mycompany'.
Error Handlingβ
The command handles various error scenarios:
- Not Logged In: Prompts user to run
kavach login - Backend Unreachable: Displays helpful message with contact information
- Organization Not Found: Indicates the organization doesn't exist
- Duplicate Secret Group: Suggests choosing a different name
- Access Denied: Shows appropriate error message
Notesβ
- Secret group names should be descriptive and follow your naming conventions
- Once created, you can activate the secret group to set it as default for future commands
- If no organization is specified, uses the active organization
kavach group listβ
π List your secret groups
Descriptionβ
List all secret groups in the current organization. This command displays a table of all secret groups within the active organization, showing your role in each secret group and which one is currently active.
Output Informationβ
The output includes:
- Secret Group ID: Unique identifier for the secret group
- Secret Group Name: Human-readable name of the secret group
- Organization Name: The organization this secret group belongs to
- Role: Your role in the secret group (owner, admin, member, viewer)
- Active: Indicates which secret group is currently set as default (π’)
Usageβ
kavach group list [flags]
Flagsβ
| Flag | Description | Required | Default |
|---|---|---|---|
--organization, -o | Organization under which to list secret groups | No | Active organization |
Examplesβ
# List all secret groups in current organization
kavach group list
# List secret groups in specific organization
kavach group list --organization mycompany
# Show detailed help
kavach group list --help
Example Outputβ
βββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββ¬βββββββββββββββββββ¬βββββββββ¬βββββββββ
β Secret Group Id β Secret Group Nameβ Organization Nameβ Role β Active β
βββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββΌβββββββββββββββββββΌβββββββββΌβββββββββ€
β 550e8400-e29b-41d4-a716-446655440000β myapp β mycompany β owner β π’ β
β 550e8400-e29b-41d4-a716-446655440001β backend β mycompany β member β β
βββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββ΄βββββββββββββββββββ΄βββββββββ΄βββββββββ
Notesβ
- The active secret group (marked with π’) is used as the default context for other commands
- Use
kavach group activate <name>to change the active secret group
kavach group activateβ
π Switch to a different secret group
Descriptionβ
Activate a secret group to set it as the default context for future commands. When you activate a secret group, it becomes the default context for all subsequent CLI commands.
Key Benefitsβ
- Reduces the need to specify
--groupflag in every command - Provides a consistent working context
- Makes command usage more convenient
- Helps avoid accidentally working in the wrong secret group
Usageβ
kavach group activate <group_name>
Argumentsβ
| Argument | Description | Required |
|---|---|---|
group_name | Name of the secret group to activate | Yes |
Examplesβ
# Set myapp as default secret group
kavach group activate myapp
# Switch to backend secret group
kavach group activate backend
# See which secret group is active
kavach group list
Example Outputβ
β
Secret group 'myapp' is now active.
Notesβ
- You can still override the active secret group by explicitly specifying
--groupflag in individual commands - The active secret group is used only when no secret group is explicitly provided
kavach group deleteβ
ποΈ Delete a secret group
Descriptionβ
Delete a secret group and all its associated resources. This is a destructive operation that removes the secret group, all its environments, and secrets.
Usageβ
kavach group delete <group_name>
Argumentsβ
| Argument | Description | Required |
|---|---|---|
group_name | Name of the secret group to delete | Yes |
Examplesβ
# Delete secret group (with confirmation)
kavach group delete myapp
# Show detailed help
kavach group delete --help
Confirmation Promptβ
When deleting a secret group, you'll see a confirmation prompt:
Are you sure you want to delete the secret group 'myapp'?
This will permanently delete the secret group and all its resources.
Type 'yes' to confirm: yes
Secret group 'myapp' deleted successfully.
Notesβ
- This operation is irreversible
- All resources within the secret group will be permanently deleted
- Only secret group owners can delete secret groups
kavach group grantβ
π Grant permissions to users or groups
Descriptionβ
Grant permissions to users or user groups within a secret group. This allows you to manage access control at the secret group level.
Usageβ
kavach group grant <secret-group-name> [flags]
Argumentsβ
| Argument | Description | Required |
|---|---|---|
secret-group-name | Name of the secret group to grant permissions on | Yes |
Flagsβ
| Flag | Description | Required |
|---|---|---|
--user, -u | GitHub username to grant permissions to | Yes* |
--group, -g | User group name to grant permissions to | Yes* |
--role, -r | Role to grant (admin, editor, viewer) | Yes |
--org, -o | Organization name where the secret group exists | Yes |
*One of --user or --group is required.
Examplesβ
# Grant admin role to user
kavach group grant "myapp" --user "john.doe" --role admin --org "mycompany"
# Grant editor role to user group
kavach group grant "myapp" --group "developers" --role editor --org "mycompany"
# Grant viewer role to user
kavach group grant "backend" --user "sarah" --role viewer --org "startup"
Available Rolesβ
- owner: Full administrative access (create, delete, manage members, grant permissions)
- admin: Administrative access (manage resources and members, but cannot delete the resource they were granted admin on)
- editor: Write access (modify resources, but cannot assign permissions to others)
- viewer: Read-only access (view resources only)
kavach group revokeβ
π« Revoke user or group access from a secret group
Descriptionβ
Revoke access for a user or group from a secret group. This command removes the specified role assignment.
Key Featuresβ
- Remove user access by revoking their role
- Remove group access by revoking their role
- Immediate effect - access is revoked immediately
- Activity logging - all revocations are logged
Usageβ
kavach group revoke <secret-group> [flags]
Argumentsβ
| Argument | Description | Required |
|---|---|---|
secret-group | Name of the secret group | Yes |
Flagsβ
| Flag | Description | Required | Default |
|---|---|---|---|
--user | Username or email to revoke access from | No* | "" |
--group | Group name to revoke access from | No* | "" |
*Either --user or --group must be specified
Examplesβ
# Revoke user access
kavach group revoke "backend" --user "john@example.com"
# Revoke group access
kavach group revoke "backend" --group "developers"
kavach group list-bindingsβ
π List all role bindings for a secret group
Descriptionβ
Display all role bindings (user and group permissions) for a specific secret group. This command shows who has access to the secret group and what roles they have.
Key Featuresβ
- View all users with access to the secret group
- View all groups with access to the secret group
- See role assignments for each user/group
- Check permissions before making changes
Usageβ
kavach group list-bindings <secret-group> [flags]
Argumentsβ
| Argument | Description | Required |
|---|---|---|
secret-group | Name of the secret group | Yes |
Flagsβ
| Flag | Description | Required | Default |
|---|---|---|---|
--org, -o | Organization name (required) | Yes | - |
Examplesβ
# List all bindings in table format
kavach group list-bindings "backend"
# List all bindings for the secret group
kavach group list-bindings "backend" --org "mycompany"
Example Outputβ
$ kavach group list-bindings "backend" --org "mycompany"
Role bindings for secret group 'backend' in organization 'mycompany':
Total bindings: 6
Direct Bindings
---------------
βββββββββββ¬ββββββββββββββββββββββ¬ββββββββββ
β Type β Name β Role β
βββββββββββΌββββββββββββββββββββββΌββββββββββ€
β π€ User β admin@company.com β owner β
β π€ User β john@company.com β admin β
β π₯ Groupβ developers β editor β
β π₯ Groupβ qa-team β viewer β
βββββββββββ΄ββββββββββββββ΄ββββββββββ
Inherited from Organization: mycompany
---------------------------------------
βββββββββββ¬ββββββββββββββββββββββ¬ββββββββββ
β Type β Name β Role β
βββββββββββΌββββββββββββββββββββββΌββββββββββ€
β π€ User β ceo@company.com β admin β
β π₯ Groupβ executives β viewer β
βββββββββββ΄ββββββββββββββ΄ββββββββββ
Note: The output shows both direct bindings (specific to this secret group) and inherited bindings (from the organization level). Users and groups can inherit permissions from higher levels in the resource hierarchy.
Workflow Examplesβ
Complete Secret Group Setupβ
# 1. Create secret group
kavach group create myapp --description "My application secrets"
# 2. List secret groups
kavach group list
# 3. Activate secret group
kavach group activate myapp
# 4. Grant permissions to team members
kavach group grant "myapp" --user "john@example.com" --role admin --org "mycompany"
kavach group grant "myapp" --user "jane@example.com" --role editor --org "mycompany"
# 5. Create user group and grant permissions
kavach user-group create developers --description "Development team"
kavach group grant "myapp" --group "developers" --role editor --org "mycompany"
Secret Group Managementβ
# 1. Check current secret group
kavach group list
# 2. Switch to different secret group
kavach group activate backend
# 3. Grant new team member access
kavach group grant "myapp" --user "newdev@company.com" --role editor --org "mycompany"
# 4. Remove access for departed team member
kavach group revoke "myapp" --user "olddev@company.com" --role editor --org "mycompany"
Multi-Secret Group Workflowβ
# 1. List all secret groups
kavach group list
# 2. Work in application secret group
kavach group activate myapp
kavach env create prod --description "Production environment"
kavach secret add database-url --value "postgresql://user:pass@localhost:5432/myapp"
# 3. Switch to backend secret group
kavach group activate backend
kavach env create staging --description "Staging environment"
kavach secret add api-key --value "sk-backend-api-key"
Best Practicesβ
1. Secret Group Namingβ
# Good naming conventions
kavach group create myapp --description "My application secrets"
kavach group create backend --description "Backend service secrets"
kavach group create frontend --description "Frontend application secrets"
# Avoid generic names
kavach group create group --description "Secret group" # Too generic
kavach group create test --description "Test" # Too generic
2. Role Managementβ
# Grant minimal required permissions
kavach group grant "myapp" --user "viewer@company.com" --role viewer --org "mycompany"
kavach group grant "myapp" --user "developer@company.com" --role editor --org "mycompany"
kavach group grant "myapp" --user "admin@company.com" --role admin --org "mycompany"
# Use user groups for team management
kavach user-group create developers --description "Development team"
kavach group grant "myapp" --group "developers" --role editor --org "mycompany"
3. Secret Group Organizationβ
# Create separate secret groups for different purposes
kavach group create production-apps --description "Production applications"
kavach group create development-apps --description "Development applications"
kavach group create client-projects --description "Client-specific projects"
4. Security Considerationsβ
- Regular Access Review: Periodically review and update permissions
- Principle of Least Privilege: Grant only necessary permissions
- User Group Management: Use groups for easier permission management
- Activity Monitoring: Monitor secret group changes and access
Use Casesβ
Organize by Applicationβ
# Create secret groups for different applications
kavach group create user-service --description "User service secrets"
kavach group create payment-service --description "Payment service secrets"
kavach group create notification-service --description "Notification service secrets"
Organize by Teamβ
# Create secret groups for different teams
kavach group create dev-team --description "Development team secrets"
kavach group create qa-team --description "QA team secrets"
kavach group create ops-team --description "Operations team secrets"
Organize by Projectβ
# Create secret groups for different projects
kavach group create project-alpha --description "Alpha project secrets"
kavach group create project-beta --description "Beta project secrets"
kavach group create project-gamma --description "Gamma project secrets"
Troubleshootingβ
Common Issuesβ
-
Secret Group Not Found
# Error: Secret group not found
# Solution: Check secret group name and your access
kavach group list -
Access Denied
# Error: Access denied
# Solution: Check your role in the secret group
kavach group list-bindings "secret-group-name" -
Duplicate Secret Group
# Error: Secret group already exists
# Solution: Choose a different name
kavach group create new-group-name --description "New secret group" -
No Active Organization
# Error: No default organization is set
# Solution: Set active organization
kavach org activate mycompany -
Permission Issues
# Check current permissions
kavach group list-bindings "secret-group-name"
# Verify your role
kavach group list
Debug Commandsβ
# Enable debug logging
kavach --debug group list
# Check current configuration
kavach status
# Verify secret group access
kavach group list
Next Stepsβ
After setting up your secret groups:
- Create Environments: Environment Management
- Manage User Groups: User Group Management
- Store Secrets: Secret Management
- Configure Providers: Provider Integration