This document will cover the usage of `sdm admin` subcommands in the StrongDM CLI. These command examples were completed on a macOS operating system, and using ‘jq’, which was installed using Homebrew. These commands will be relevant to a Linux OS as well, however, Windows OS will use different CLI functions and is outside the scope of this example.
Requirements for these examples:
- Install the StrongDM CLI on a local workstation.
- Install ‘jq’, a JSON parser and processor for .json data. This is required to select, filter, and search for specific fields in a structured JSON return.
Tip: Using the ‘--help’ or ‘-h’ option at the end of any ‘sdm’ command will help explain the options available for each substring prior to committing the command.
‘sdm admin’
There are many functions within ‘sdm admin’ that can be useful for finding information about your stack, or simply to manage resources with a script.
NAME:
sdm admin - administrative commands
USAGE:
sdm admin command [command options] [arguments...]
COMMANDS:
clouds manage clouds
clusters manage clusters
kubernetes, k8s manage Kubernetes cluster
ports manage port overrides
rdp manage RDP servers
relays, relay manage relays
remote-identities, remote-identity, ri manage remote identities
resources manage resources
rest make custom HTTP REST requests
roles manage roles
secretstores, secretstore manage secret stores
servers manage servers
services, svc, service manage service accounts
ssh manage SSH public key servers
users manage users
websites, web, http manage websites
workflows, workflow manage workflows
OPTIONS:
--help, -h show help
'sdm admin resources”
The `sdm admin resources` command is great for listing out all the resources that are configured as databases within the platform. There are other commands for managing servers such as SSH or RDP, as well as clusters or cloud configurations. You can similarly pipe these into a .json output, which can be used to process with ‘jq’.
sdm admin resources list -e
Datasource ID Name Type Hostname Database Port Username Schema TLS
Required Bind Interface Port Override Healthy Secret Store ID Egress
Filter Tags
rs-77xxxxxxxxxdee prod-mysql-read-only mysql 10.100.100.101 sakila 3306
strongdmreadonly true false 127.0.0.1 13309 true Creator=TF,Env=demo
owner=jk
Example with JSON output:
sdm admin resources list -e --json
{
"bindInterface": "127.0.0.1",
"database": "sakila",
"healthy": "true",
"hostname": "10.100.100.101",
"id": "rs-771xxxxxxxxxxee",
"name": "prod-mysql-read-only",
"port": 3306,
"portOverride": "13309",
"requireNativeAuth": "true",
"subdomain": "0b5xxxxxxxxxxx8c",
"tags": {
"Creator": "TF",
"Env": "demo"
},
"type": "mysql",
"username": "strongdmreadonly"
}
In addition to the listing function, you can similarly ‘add/create’, ‘clone’, ‘update’, or ‘delete’ resources.
This example will show you how to easily add one or more SSH servers to the platform, from either a command string, or loading the values from a larger .json file.
‘sdm admin ssh’
The `sdm admin ssh` command will add an SSH server to the StrongDM platform. This specifically is one of 3 options StrongDM has for adding SSH servers, which is to create a random key for each resource, called Public Key configuration. During this process it will use a temporary private key that you supply in order to log in and install the randomly generated public key that is stored within Strong Vault.
If you do not specify a key when running this command it will return the random public key to stdout in your terminal, so that you may log in out of band and apply the key to the authorized_keys file for the user.
In this example below, I am also tagging the server to help with management with RBAC in StrongDM, or for other processes.
sdm admin ssh add my-new-ssh-server
ec2-user@mynewsshserver.company.local:22 --identity ./private.key --accept
--tags 'region=us-west-2'
‘sdm admin roles’
In this next example, we will use the `sdm admin roles` command to create a StrongDM role that includes the tag we created in the prior step to include all new resources created with ‘--tags 'region=us-west-2’.
Note: The tags must already exist in StrongDM in order for the access rules to be applied to the role, so make sure you have properly tagged your resources prior to this step.
sdm admin roles add --tags 'region=us-west-2' MyNewRole
‘sdm admin ports’
The `sdm admin ports` command is useful for listing out all configured resources in the platform by using the list flag. This will print off the bind interfaces for Loopback mode as well as define the VNM IP address.
➜ ~ sdm admin ports list
port override is enforced
ID NAME PORT BIND INTERFACE OVERRIDE
rs-01d47xxxxxxxx56c GCP-Gateway1 46970 127.0.0.1 46970
rs-01d47xxxxxxxx56c SFTP 49150 127.0.0.1 10006
rs-01d47xxxxxxxx56c Staging-RDP-User 3389 127.0.0.1 10003
rs-01d47xxxxxxxx56c azure-cli-se-sandbox 65113 127.0.0.1 10000
rs-01d47xxxxxxxx56c azure-se-gw-01-rfc1918_addr 27880 127.0.0.1 27880
rs-01d47xxxxxxxx56c demo-dynamodb-ARN-RW-EmployeeTable 11000 127.0.0.1 21002
rs-01d47xxxxxxxx56c demo-dynamodb-ReadOnly 11000 127.0.0.1 21001
rs-01d47xxxxxxxx56c demo-dynamodb-ReadWrite 11000 127.0.0.1 21000
rs-01d47xxxxxxxx56c dev-eks 10002 127.0.0.1 10002
rs-01d47xxxxxxxx56c gcp-cli-viewonly 65112 127.0.0.1 10007
rs-01d47xxxxxxxx56c king-terraform-ec2 11111 127.0.0.1 11112
rs-01d47xxxxxxxx56c king-terraform-ec2-multi 11111 127.0.0.1 11114
rs-01d47xxxxxxxx56c my-new-ssh-server 22 100.64.0.1 22
rs-01d47xxxxxxxx56c oci-jhoge-sdm-relay-ssh 10005 127.0.0.1 10005
rs-01d47xxxxxxxx56c prod-aws-cloud 11111 127.0.0.1 10008
rs-01d47xxxxxxxx56c prod-eks 18443 127.0.0.1 18443
rs-01d47xxxxxxxx56c prod-http 14335 127.0.0.1 14335
rs-01d47xxxxxxxx56c prod-mysql-admin 3306 127.0.0.1 13308
rs-01d47xxxxxxxx56c prod-mysql-read-only 3306 127.0.0.1 13309
rs-01d47xxxxxxxx56c prod-postgres-admin 5432 127.0.0.1 15435
rs-01d47xxxxxxxx56c prod-postgres-read-only 5432 127.0.0.1 15434
Please visit the CLI Reference for complete documentation on how to use the CLI, as well as examples of how to use the filter/tag options.
CLI Reference