Artifactory Dynamic Secrets

You can create an Artifactory dynamic secret to allow users to dynamically receive short-lived access tokens to interact with a JFrog Artifactory server (version 5.0.0 or later) via its API.

For more information on how to use access tokens in Artifactory, see the JFrog Artifactory documentation.

When a client requests a dynamic secret value, the Akeyless Vault Platform connects to the Artifactory through your Gateway and generates a temporary access token.

Create a Dynamic Artifactory Secret from the CLI

👍

Tip

To set up a dynamic secret, you can either configure a connection to the target server first or provide all parameters of the target server in the secret creation command.

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

To create a dynamic Artifactory secret from the CLI using the existing target, run the following command:

akeyless gateway-create-producer-artifactory \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the Artifactory server. The name can include the path to the virtual folder where this target resides.

  • gateway-url: API Gateway URL.

  • artifactory-token-scope: The scope to assign to the token. It is provided as a space-separated list of scopes, for example, member-of-groups:readers.

  • artifactory-token-audience: A space-separated list of other Artifactory instances or services that should accept this token. For example, to accept all JFrog Artifactory instances, use [email protected]*.

If you don't have a configured Artifactory target yet, you can use the command with your Artifactory target server connection parameters:

akeyless gateway-create-producer-artifactory \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances> \
--base-url <Artifactory REST URL> \
--artifactory-admin-name <Artifactory Admin username> \
--artifactory-admin-pwd <Artifactory Admin API Key or password>

Where:

  • base-url: The JFrog Artifactory REST URL, which must end with the artifactory postfix. For example, if you use your JFrog URL, this could be http://myjfrog.acme.org/artifactory/.

  • artifactory-admin-name: The Artifactory user with privileges to create JWT tokens.

  • artifactory-admin-pwd: The API key or password of the admin user.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

Fetch a Dynamic Artifactory Secret value from the CLI

To fetch a dynamic Artifactory secret value from the CLI, run the following command:

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic Artifactory Secret in the Akeyless Console

👍

Tip

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Dynamic Secret.

  2. Select the Artifactory secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Target mode: In this section, you can either select an existing Artifactory Target or specify details of the target Artifactory server explicitly (e.g., if you are not authorized to create and access Targets in the Akeyless Console).

    • Use the Choose an existing target drop-down list to select the existing Artifactory Target.

    • Check the Explicitly specify target properties radio button to provide details of the target Artifactory Server on the next step of the wizard.

👍

Tip

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

  • Token Scope: Specify a scope (or a space-separated list of scopes) to assign to the token.

  • Token Audience: Specify a space-separated list of other JFrog Artifactory instances or services that should accept this token. The default value is the JFrog Artifactory service ID instance that created this token. For example, to accept all JFrog Artifactory instances, type [email protected]*.

  • User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge

  1. If you checked the Explicitly specify target properties radio button, click Next.

  2. Provide details of the target Artifactory server:

  • Base URL: Specify the JFrog Artifactory REST URL, which must end with the artifactory postfix. For example, if you use your JFrog URL, this could be http://myjfrog.acme.org/artifactory/. Or, if you use your JFrog Artifactory server hostname and port, this could be http://ARTIFACTORY_SERVER_HOSTNAME:8081/artifactory/.

  • Admin Username: Provide the name of the Artifactory user with privileges to create JWT tokens.

  • Admin API Key/Password: Provide the API key or password of the admin user.

  1. Click Finish.

Fetch a Dynamic Artifactory Secret value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.


Did this page help you?