secretzero test¶
Test provider connectivity and authentication.
Synopsis¶
Description¶
The test command validates that all configured providers can be authenticated and accessed successfully. It's useful for verifying setup before generating and syncing secrets.
Options¶
| Option | Type | Default | Description |
|---|---|---|---|
--file, -f |
path | Secretfile.yml |
Path to Secretfile |
--help |
flag | - | Show help message |
Examples¶
Test All Providers¶
Test connectivity for all configured providers:
Successful output:
Testing Provider Connectivity:
• aws: ✓ Connected to AWS (us-east-1)
• vault: ✓ Connected to Vault (http://localhost:8200)
• kubernetes: ✓ Connected to cluster 'production'
• local: ✓ Local provider (always available)
All provider tests passed!
Output with failures:
Testing Provider Connectivity:
• aws: ✓ Connected to AWS (us-east-1)
• vault: ✗ Connection failed: invalid token
• kubernetes: ✗ Context 'production' not found
• local: ✓ Local provider (always available)
Some provider tests failed. Check the messages above.
Test Specific File¶
Test providers in a specific Secretfile:
What Gets Tested¶
Per Provider Type¶
AWS¶
- Credentials are valid
- Can assume roles (if configured)
- Can access specified region
- Required permissions exist
Azure¶
- Managed Identity or credentials valid
- Can authenticate to Key Vault
- Subscription access verified
Vault¶
- Token or AppRole authentication works
- Can connect to Vault server
- Namespace access (if configured)
- Required policies exist
Kubernetes¶
- Kubeconfig is valid
- Context exists and is accessible
- Can authenticate to cluster
- Required namespaces exist
GitHub¶
- Token is valid
- Has required scopes
- Can access specified repositories
GitLab¶
- Token is valid
- Can access specified projects
Jenkins¶
- Credentials are valid
- Can connect to Jenkins server
- Has required permissions
Local¶
Always succeeds (no authentication required)
Provider Test Details¶
AWS Provider¶
Tests:
- AWS credentials are configured
- Can make API calls to AWS
- Region is accessible
- IAM permissions are sufficient
Success:
Failures:
✗ AWS authentication failed: Unable to locate credentials
✗ AWS connection failed: Region us-east-1 not accessible
✗ AWS permission denied: Insufficient IAM permissions
Vault Provider¶
providers:
vault:
kind: vault
auth:
kind: token
config:
url: https://vault.example.com
token: ${VAULT_TOKEN}
Tests:
- Can connect to Vault server
- Token is valid
- Has required policies
- Namespace is accessible (if configured)
Success:
Failures:
✗ Vault connection failed: dial tcp: connection refused
✗ Vault authentication failed: invalid token
✗ Vault permission denied: missing required policy
Kubernetes Provider¶
Tests:
- Kubeconfig exists and is valid
- Context exists
- Can authenticate to cluster
- Can access required namespaces
Success:
Failures:
✗ Kubeconfig not found
✗ Context 'production' not found
✗ Authentication failed: invalid credentials
✗ Namespace 'default' not accessible
Local Provider¶
Tests:
Always succeeds (no external dependencies)
Success:
Troubleshooting Provider Issues¶
AWS Authentication Failed¶
Error:
Solutions:
- Configure AWS CLI:
- Set environment variables:
export AWS_ACCESS_KEY_ID=your_key
export AWS_SECRET_ACCESS_KEY=your_secret
export AWS_REGION=us-east-1
- Use AWS profile:
- Use IAM role (EC2/ECS/Lambda):
Verify:
Vault Connection Failed¶
Error:
Solutions:
- Verify Vault is running:
- Check Vault address:
- Update Secretfile:
providers:
vault:
auth:
kind: token
config:
url: http://localhost:8200 # Correct URL
token: ${VAULT_TOKEN}
- Check network connectivity:
Verify:
Vault Authentication Failed¶
Error:
Solutions:
- Get new token:
- Check token expiration:
- Use AppRole instead:
providers:
vault:
auth:
kind: approle
config:
role_id: ${VAULT_ROLE_ID}
secret_id: ${VAULT_SECRET_ID}
Kubernetes Context Not Found¶
Error:
Solutions:
- List available contexts:
- Use correct context:
- Use current context:
- Set current context:
GitHub Authentication Failed¶
Error:
Solutions:
- Create personal access token:
Go to GitHub Settings → Developer settings → Personal access tokens
- Set environment variable:
- Update Secretfile:
Required scopes:
repo- Full repository accessadmin:repo_hook- Repository webhooks and services
Verify:
Permission Denied¶
Error:
Solutions:
- Review required permissions
- Update IAM policy
- Use different credentials with sufficient permissions
Example IAM policy for AWS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:GetParameter",
"ssm:DescribeParameters",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*"
}
]
}
Integration Examples¶
Pre-Sync Check¶
#!/bin/bash
# Ensure providers are accessible before syncing
echo "Testing provider connectivity..."
if secretzero test; then
echo "✅ All providers accessible"
echo "Syncing secrets..."
secretzero sync
else
echo "❌ Provider test failed"
echo "Fix connectivity issues before syncing"
exit 1
fi
CI/CD Pipeline¶
# .github/workflows/secrets.yml
name: Manage Secrets
on:
push:
branches: [main]
jobs:
sync:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install SecretZero
run: pip install secretzero[all]
- name: Test Provider Connectivity
run: secretzero test
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
- name: Sync Secrets
if: success()
run: secretzero sync
Environment Setup Validation¶
#!/bin/bash
# validate-environment.sh
echo "Validating SecretZero environment..."
# 1. Check configuration
echo "1. Validating Secretfile..."
secretzero validate
# 2. Test providers
echo "2. Testing provider connectivity..."
secretzero test
# 3. Check policies
echo "3. Checking policy compliance..."
secretzero policy
if [ $? -eq 0 ]; then
echo "✅ Environment validation passed"
exit 0
else
echo "❌ Environment validation failed"
exit 1
fi
Best Practices¶
1. Test Before First Sync¶
# New environment setup
secretzero create
vim Secretfile.yml
secretzero validate
secretzero test # Test before syncing
secretzero sync
2. Test After Configuration Changes¶
# After modifying providers
vim Secretfile.yml
secretzero validate
secretzero test # Ensure new configuration works
secretzero sync
3. Regular Connectivity Checks¶
# Daily cron job
0 9 * * * cd /path/to/project && secretzero test || echo "Provider connectivity issue" | mail -s "Alert" admin@example.com
4. Test in CI/CD¶
Always test providers in CI/CD pipelines:
5. Document Provider Requirements¶
# Secretfile.yml
# Provider requirements:
#
# AWS:
# - AWS credentials configured (aws configure)
# - IAM permissions: ssm:*, secretsmanager:*
#
# Vault:
# - VAULT_ADDR environment variable
# - VAULT_TOKEN environment variable
# - Policy: read/write on secret/data/*
#
# Kubernetes:
# - Valid kubeconfig
# - Context: production
# - Namespace: default
providers:
aws:
kind: aws
vault:
kind: vault
kubernetes:
kind: kubernetes
Exit Codes¶
| Code | Meaning |
|---|---|
0 |
All provider tests passed |
1 |
Some provider tests failed |
4 |
Provider connection error |
Related Commands¶
validate- Validate configurationsync- Generate and sync secretscreate- Create a new Secretfileinit- Initialize project dependencies
See Also¶
- Provider Documentation - Provider configuration
- Troubleshooting Guide - Common issues
- Getting Started - Setup guide