Contact Us 1-800-596-4880

CLI for Secrets Manager

Use the secrets-mgr commands to automate your Secrets Manager Processes. For more information about how to use these commands, refer to the Secrets Manager documentation.

Command Description

Creates a new secret group

Deletes a secret group

Shows details of a secret group

Lists secret groups

Modifies a secret group

Creates a shared secret in a secret group

Shows details of a shared secret

Lists all shared secrets in a secret group

Modifies a shared secret

Replaces an existing shared secret

Creates a new certificate secret

Shows details of a certificate secret

Lists all certificate secrets in a secret group

Modifies a certificate secret

Replaces an existing certificate secret

Creates a new keystore secret

Shows details of a keystore secret

Lists all keystore secrets in a secret group

Modifies a keystore secret

Replaces an existing keystore secret

Creates a new truststore secret

Shows details of a truststore secret

Lists all truststore secrets in a secret group

Modifies a truststore secret

Replaces an existing truststore secret

Creates a new Mule TLS context secret

Shows details of a Mule TLS context secret

Lists all Mule TLS context secrets in a secret group

Modifies a Mule TLS context secret

Replaces an existing Mule TLS context secret

Creates a new Flex Gateway TLS context secret

Shows details of a Flex Gateway TLS context secret

Lists all Flex Gateway TLS context secrets in a secret group

Modifies a Flex Gateway TLS context secret

Replaces an existing Flex Gateway TLS context secret


> secrets-mgr:secret-group:create [flags]

Creates a new secret group with the name specified by --name.

Prompt the --downloadable flag if the secrets in this group are referenced in an API Manager proxy.

This command accepts the default flags.


> secrets-mgr:secret-group:delete [flags]

Deletes the secret group specified by --id.

This command does not prompt for confirmation before deleting.

This command accepts the default flags.


> secrets-mgr:secret-group:describe [flags]

Returns the details of a secret group specified by --id.

This command accepts the default flags.


> secrets-mgr:secret-group:list [flags]

Lists all your secret groups, including the name and ID.

This command accepts the default flags.


> secrets-mgr:secret-group:modify [flags]

Modifies a secret group specified by --id.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Name for your secret group

--name TestSecretGroup


Secrets in this group are referenced in an API Manager proxy



Secrets in this group are not referenced in an API Manager proxy.



> secrets-mgr:shared-secret:create [flags]

Creates a new shared secret in the secret group specified by --group-id, using the name specified by --name and the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Name for your secret

--name TestSecret


Choose the shared secret type (required)
Options: Blob, UsernamePassword, SymmetricKey, S3Credential

--type UsernamePassword


Blob text content (for blob type secrets)

--type Blob --content example


Expiration date for the secret

--expiration-date 01/01/2025


Key value (for `SymmetricKe`y type secrets)

--type SymmetricKey --key 49324329


S3 access key id (for S3Credential type secrets)

--type S3Credential -access-key-id 03249348324


S3 secret access key (for S3Credential type secrets)

-type S3Credential -secret-access-key 00000000000


Password (for UsernamePassword type secrets)

-type UsernamePassword -secret-password testpassword12


Username (for UsernamePassword type secrets)

-type UsernamePassword -secret-username mulesoft-username


> secrets-mgr:shared-secret:describe [flags]

Returns the details of a shared secret specified by --id from the secret group specified by --group-id.

This command accepts the default flags.

The output does not include any sensitive or secret data.


> secrets-mgr:shared-secret:list [flags]

Lists all shared secrets in a secret group specified by --group-id.

This command accepts the default flags.


> secrets-mgr:shared-secret:modify [flags]

Modifies the name or expiration date for a shared secret specified by --id, from the secret group specified by --group-id.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


New name for the shared secret

--name TestSharedSecret


New expiration date for the shared secret

--expiration-date 2025-01-25


> secrets-mgr:shared-secret:replace [flags]

Replaces an existing shared secret specified by --id, from the secret group specified by --group-id, using the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret ID (required)

--id 6e8417f6-2ca7-417a-82b6-047189a18b53


Secret Group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Shared secret type (required)
The value must match the existing secret type.

--type Blob


New name for your shared secret

--name TestSharedSecret


Blob text content (for blob type secrets)

--type Blob --content example


Expiration date for the secret

--expiration-date 2025-01-25


Key value (for SymmetricKey type secrets)

--type SymmetricKey --key 49324329


S3 access key id (for S3Credential type secrets)

--type S3Credential -access-key-id 03249348324


S3 secret access key (for S3Credential type secrets)

-type S3Credential -secret-access-key 00000000000


Password (for UsernamePassword type secrets)

-type UsernamePassword -secret-password testpassword12


Username (for UsernamePassword type secrets)

-type UsernamePassword -secret-username mulesoft-username


> secrets-mgr:certificate:create [flags]

Creates a new certificate secret in the secret group specified by --group-id, using the name specified by --name and the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Name for your secret (required)

--name TestSecret


Choose the certificate secret type (required)
Options: PEM.

--type PEM


Certificate file path

--cert-file ./example-cert.pem


Expiration date for the secret

--expiration-date 2025-01-25


> secrets-mgr:certificate:describe [flags]

Returns the details of a certificate secret specified by --id from the secret group specified by --group-id.

This command accepts the default flags.

The output does not include any sensitive or secret data.


> secrets-mgr:certificate:list [flags]

Lists all certificate secrets in a secret group specified by --group-id.

This command accepts the default flags.


> secrets-mgr:certificate:modify [flags]

Modifies the name or expiration date for a certificate secret specified by --id from the group specified by --group-id.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


New name for the certificate secret

--name TestCertificateSecret


New expiration date for the keystore secret

--expiration-date 2025-01-25


> secrets-mgr:certificate:replace [flags]

Replaces an existing certificate secret specified by --id, from the secret group specified by --group-id, using the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret ID (required)

--id 6e8417f6-2ca7-417a-82b6-047189a18b53


Secret Group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Certificate secret type (required)
The value must match the existing secret type.

--type PEM


New name for your shared secret

--name TestSharedSecret


Certificate file type

--cert-file ./example-cert.pem


Expiration date for the secret

--expiration-date 2025-01-25


> secrets-mgr:keystore:create [flags]

Creates a new keystore secret in the secret group specified by --group-id, using the name specified by --name and the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Name for your secret (required)

--name TestSecret


Keystore secret type (required)
Options: PEM, JKS, PKCS12, JCEKS.

--type PEM


Key manager factory algorithm for JKS, PKCS12, and JCEKS keystore secrets

--algorithm PKIX


Alias for the key used in JKS, PKCS12, and JCEKS keystore secrets

--alias KeyAliasExample


CA path certificate file for PEM keystore secrets

--capath-file ./example-capath.pem


Expiration date for the secret

--expiration-date 2025-01-25


Key file for PEM keystore secrets

--key-file ./example-key.pem


Passphrase required for JKS, PKCS12 and JCEKS keystore secrets. Optional for PEM keystore secrets

--key-passphrase examplePassphrase


Keystore filepath for JKS, PKCS12, and JCEKS type secrets

--keystore-file ./keystorefile.jks


Passphrase for the JKS, PKCS12, and JCEKS type secrets

--store-passphrase ExampleStorePassphrase


> secrets-mgr:keystore:describe [flags]

Returns the details of a keystore secret specified by --id from the secret group specified by --group-id.

This command accepts the default flags.

The output doesn’t include any sensitive or secret data.


> secrets-mgr:keystore:list [flags]

Lists all keystore secrets in a secret group specified by --group-id.

This command accepts the default flags.


> secrets-mgr:keystore:modify [flags]

Modifies the name or expiration date for a keystore secret specified by --id from the group specified by --group-id.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


New name for the keystore secret

--name TestKeystoreSecret


New expiration date for the keystore secret

--expiration-date 2025-01-25


> secrets-mgr:keystore:replace [flags]

Replaces an existing keystore secret specified by --id, from the secret group specified by --group-id, using the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret ID (required)

--id 6e8417f6-2ca7-417a-82b6-047189a18b53


Choose the keystore secret type (required)
Options: PEM, JKS, PKCS12, JCEKS.

--type PEM


Key manager factory algorithm for JKS, PKCS12, and JCEKS keystore secrets

--algorithm PKIX


Alias for the key used in JKS, PKCS12, and JCEKS keystore secrets

--alias KeyAliasExample


CA path certificate file for PEM keystore secrets

--capath-file ./example-capath.pem


Expiration date for the secret

--expiration-date 2025-01-25


Key file for PEM keystore secrets

--key-file ./example-key.pem


Passphrase required for JKS, PKCS12 and JCEKS keystore secrets. Optional for PEM keystore secrets

--key-passphrase examplePassphrase


Keystore filepath for JKS, PKCS12, and JCEKS type secrets.

--keystore-file ./keystorefile.jks


Name for your secret

--name TestSecret


Passphrase for the JKS, PKCS12, and JCEKS type secrets

--store-passphrase ExampleStorePassphrase


> secrets-mgr:truststore:create [flags]

Creates a new truststore secret in the secret group specified by --group-id, using the name specified by --name and the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Name for your secret (required)

--name TestSecret


Choose the truststore secret type (required)
Options: PEM, JKS, PKCS12, JCEKS

--type PEM


Truststore filepath (required)

--truststore-file ./truststorefile.pem


Key manager factory algorithm for JKS, PKCS12, and JCEKS keystore secrets

--algorithm SUNX509


Expiration date for the secret

--expiration-date 2025-01-25


Passphrase required for JKS, PKCS12 and JCEKS keystore secrets

--store-passphrase examplePassphrase


> secrets-mgr:truststore:describe [flags]

Returns the details of a truststore secret specified by --id from the secret group specified by --group-id.

This command accepts the default flags.

The output does not include any sensitive or secret data.


> secrets-mgr:truststore:list [flags]

Lists all truststore secrets in a secret group specified by --group-id.

This command accepts the default flags.


> secrets-mgr:truststore:modify [flags]

Modifies the name or expiration date for a truststore secret specified by --id from the group specified by --group-id.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


New name for the truststore secret

--name TestTruststoreSecret


New expiration date for the truststore secret

--expiration-date 2025-01-25


> secrets-mgr:truststore:replace [flags]

Replaces an existing truststore secret specified by --id, from the secret group specified by --group-id, using the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret ID (required)

--id 6e8417f6-2ca7-417a-82b6-047189a18b53


Choose the truststore secret type (required)
Options: PEM, JKS, PKCS12, JCEKS.

--type PEM


Truststore filepath (required)

--truststore-file ./truststorefile.pem


Key manager factory algorithm for JKS, PKCS12, and JCEKS keystore secrets

--algorithm SUNX509


Expiration date for the secret

--expiration-date 2025-01-25


Name for your secret

--name TestSecret


Passphrase required for JKS, PKCS12 and JCEKS keystore secrets

--store-passphrase examplePassphrase


> secrets-mgr:tls-context:mule:create [flags]

Creates a new Mule TLS context secret in the secret group specified by --group-id, and using the name specified by --name.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Name for your secret (required)

--name TestSecret


TLS Version
Default: TLSv1.2

--tls-version TLSv1.1


Cipher for the specified TLS version



Expiration date for the secret

--expiration-date 2025-01-25


Disable certificate validation



A valid JKS, JCEKS, or PKCS12 keystore ID in the secret group, which is used as keystore for the TLS context

--keystore-id 2d773060-aed0-46a7-b131-efbdb6ceff70


A valid JKS, JCEKS, or PKCS12 truststore ID in the secret group, which is used as truststore for the TLS context

--truststore-id 588c33e4-7f6f-44be-94e8-8b65a56d1670


> secrets-mgr:tls-context:mule:describe [flags]

Returns the details of a Mule TLS context secret specified by --id from the secret group specified by --group-id.

This command accepts the default flags.

The output does not include any sensitive or secret data.


> secrets-mgr:tls-context:mule:list [flags]

Lists all Mule TLS context secrets in a secret group specified by --group-id.

This command accepts the default flags.


> secrets-mgr:TLS-context:mule:modify [flags]

Modifies the name or expiration date for a Mule TLS context secret specified by --id from the group specified by --group-id.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


New name for the truststore secret

--name TestTruststoreSecret


New expiration date for the truststore secret

--expiration-date 2025-01-25


> secrets-mgr:tls:context:mule:replace [flags]

Replaces an existing Mule TLS context secret specified by --id, from the secret group specified by --group-id, using the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Name for your secret (required)

--name TestSecret


TLS Version
Default: TLSv1.2

--tls-version TLSv1.1


Cipher for the specified TLS version



Expiration date for the secret

--expiration-date 2025-01-25


Disable certificate validation



A valid JKS, JCEKS, or PKCS12 keystore ID in the secret group, which is used as keystore for the TLS context

--keystore-id 2d773060-aed0-46a7-b131-efbdb6ceff70


A valid JKS, JCEKS, or PKCS12 truststore ID in the secret group, which is used as truststore for the TLS context

--truststore-id 588c33e4-7f6f-44be-94e8-8b65a56d1670


> secrets-mgr:tls-context:flex-gateway:create [flags]

Creates a new Flex Gateway TLS context secret in the secret group specified by --group-id, and using the name specified by --name.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Name for your secret (required)

--name TestSecret


Maximum TLS Version
Default: TLSv1.3

--max-tls-version TLSv1.2


Minimum TLS Version
Default: TLSv1.3

--min-tls-version TLSv1.2


Cipher for the specified TLS version range



ALPN Protocol
Options: h2, http/1.1

--alpn-protocol h2


Enable client certificate validation



Expiration date for the secret

--expiration-date 2025-01-25


A valid PEM keystore ID in the secret group, which is used as keystore for the TLS context

--keystore-id 2d773060-aed0-46a7-b131-efbdb6ceff70


A valid PEM truststore ID in the secret group, which is used as truststore for the TLS context

--truststore-id 588c33e4-7f6f-44be-94e8-8b65a56d1670


Skip service certificate validation


For more information about ciphers, see Flex Gateway Supported Ciphers.


> secrets-mgr:tls-context:flex-gateway:describe [flags]

Returns the details of a Flex Gateway TLS context secret specified by --id from the secret group specified by --group-id.

This command accepts the default flags.

The output does not include any sensitive or secret data.


> secrets-mgr:tls-context:flex-gateway:list [flags]

Lists all Flex Gateway TLS context secrets in a secret group specified by --group-id.

This command accepts the default flags.


> secrets-mgr:TLS-context:flex-gateway:modify [flags]

Modifies the name or expiration date for a Flex Gateway TLS context secret specified by --id from the group specified by --group-id.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


New name for the truststore secret

--name TestTruststoreSecret


New expiration date for the truststore secret

--expiration-date 2025-01-25


> secrets-mgr:tls:context:flex-gateway:replace [flags]

Replaces an existing Flex Gateway TLS context secret specified by --id, from the secret group specified by --group-id, using the type specified by --type.

In addition to the the default flags, this command accepts the following flags:

Flag Description Example


Secret group ID (required)

--group-id 1fec0a49-1551-4199-bfcc-cf0352d0f29d


Name for your secret (required)

--name TestSecret


Maximum TLS Version
Default: TLSv1.3

--max-tls-version TLSv1.2


Minimum TLS Version
Default: TLSv1.3

--min-tls-version TLSv1.2


Cipher for the specified TLS version range



ALPN Protocol
Options: h2, http/1.1

--alpn-protocol h2


Enable client certificate validation



Expiration date for the secret

--expiration-date 2025-01-25


A valid PEM keystore ID in the secret group, which is used as keystore for the TLS context

--keystore-id 2d773060-aed0-46a7-b131-efbdb6ceff70


A valid PEM truststore ID in the secret group, which is used as truststore for the TLS context

--truststore-id 588c33e4-7f6f-44be-94e8-8b65a56d1670


Skip service certificate validation
