Vault Management

The s0 vault command group provides tools to interact with Socket0 vaults and manage secrets through the REST API.

Authentication

All vault commands require authentication. You can provide credentials in two ways:

Option 1: Command-Line Arguments

s0 vault list --endpoint https://api.socket0.dev --key your-api-key

Option 2: Environment Variables

export SOCKET0_ENDPOINT=https://api.socket0.dev
export SOCKET0_API_KEY=your-api-key

# Now commands work without explicit flags
s0 vault list

Option 3: .env File

Create a .env file in your project:

SOCKET0_ENDPOINT=https://api.socket0.dev
SOCKET0_API_KEY=your-api-key

Then run commands:

s0 vault list

Available Commands

s0 vault list - List Vaults

List all vaults in your account.

# List all vaults
s0 vault list --endpoint https://api.socket0.dev --key your-key

# Filter by account (if multi-account)
s0 vault list --account 123

# Using environment variables
s0 vault list

Options:

Option	Short	Description
--endpoint	-e	API endpoint URL (env: SOCKET0_ENDPOINT)
--key	-k	API key (env: SOCKET0_API_KEY)
--account	-a	Filter by account ID

Output:

┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ ID                  ┃ Name      ┃ Description        ┃ Created        ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ vault-123           │ prod-db   │ Production DB      │ 2024-01-15     │
│ vault-456           │ staging   │ Staging secrets    │ 2024-01-16     │
└─────────────────────┴───────────┴────────────────────┴────────────────┘

s0 vault create - Create Vault

Create a new vault.

# Create vault with name
s0 vault create my-vault --endpoint https://api.socket0.dev --key your-key

# Create with description
s0 vault create my-vault --description "Production secrets"

# Using environment variables
s0 vault create prod-db --description "Production database credentials"

Options:

Option	Short	Description
--description	-d	Vault description (default: empty)
--endpoint	-e	API endpoint URL
--key	-k	API key

Output:

Creating vault 'prod-db'...
✓ Vault created successfully
  ID: vault-789
  Name: prod-db
  Created: 2024-01-17

s0 vault get - Get Secret

Retrieve a secret from a vault.

# Get secret value
s0 vault get vault-123 db-password --endpoint https://api.socket0.dev --key your-key

# Using environment variables
s0 vault get vault-123 api-token

Arguments:

Argument	Description
vault_id	ID of the vault
key	Secret key to retrieve

Options:

Option	Short	Description
--endpoint	-e	API endpoint URL
--key	-k	API key

Output:

Retrieving secret 'db-password' from vault 'vault-123'...
Secret value: **hidden**

s0 vault set - Set Secret

Set or update a secret in a vault.

# Set secret with value
s0 vault set vault-123 db-password --value "secret123"

# With explicit endpoint and key
s0 vault set vault-123 db-password -v "secret123" --endpoint https://api.socket0.dev --key your-key

# Interactive mode (prompts for value)
s0 vault set vault-123 db-password

Arguments:

Argument	Description
vault_id	ID of the vault
key	Secret key to set

Options:

Option	Short	Description
--value	-v	Secret value (prompts if not provided)
--endpoint	-e	API endpoint URL
--key	-k	API key

Output:

Setting secret 'db-password' in vault 'vault-123'...
✓ Secret saved successfully

s0 vault delete - Delete Vault

Delete a vault. Requires confirmation unless --confirm is provided.

# Delete with confirmation prompt
s0 vault delete vault-123 --endpoint https://api.socket0.dev --key your-key

# Delete without confirmation
s0 vault delete vault-123 --confirm

Arguments:

Argument	Description
vault_id	ID of the vault to delete

Options:

Option	Short	Description
--confirm	-y	Skip confirmation prompt
--endpoint	-e	API endpoint URL
--key	-k	API key

Output:

Delete vault 'vault-123'? [y/N]: y
Deleting vault 'vault-123'...
✓ Vault deleted successfully

Usage Examples

Workflow: Create and Populate Vault

# Set environment variables
export SOCKET0_ENDPOINT=https://api.socket0.dev
export SOCKET0_API_KEY=your-api-key

# Create a new vault
s0 vault create prod-secrets --description "Production credentials"

# Add secrets to the vault
s0 vault set vault-789 db-password --value "super-secret-password"
s0 vault set vault-789 api-token --value "token-xyz-123"
s0 vault set vault-789 jwt-secret --value "jwt-signing-key"

# List all vaults
s0 vault list

# Retrieve specific secret
s0 vault get vault-789 db-password

Workflow: CI/CD Integration

In your .github/workflows/deploy.yml:

env:
  SOCKET0_ENDPOINT: ${{ secrets.SOCKET0_ENDPOINT }}
  SOCKET0_API_KEY: ${{ secrets.SOCKET0_API_KEY }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install CLI
        run: pip install socket0-sdk[cli]
      
      - name: Get database password
        run: |
          DB_PASSWORD=$(s0 vault get prod-vault db-password)
          echo "DB_PASSWORD=$DB_PASSWORD" >> $GITHUB_ENV
      
      - name: Deploy
        env:
          DB_PASSWORD: ${{ env.DB_PASSWORD }}
        run: ./deploy.sh

Error Handling

Common errors and solutions:

Error	Cause	Solution
Connection refused	Endpoint unreachable	Check endpoint URL and network
Unauthorized	Invalid API key	Verify API key in environment
Vault not found	Invalid vault ID	Check vault ID with s0 vault list
Secret not found	Key doesn't exist	Check secret key name

Security Best Practices

1. Never commit credentials: Use environment variables or .env files (add to .gitignore)
2. Use API keys carefully: Treat them like passwords
3. Scope permissions: Create API keys with minimal required permissions
4. Rotate credentials: Regularly rotate API keys
5. Use environment variables: In CI/CD pipelines, use secret variables

Next Steps

• CLI Overview - Back to CLI overview
• SDK Tools - SDK development commands
• Vault Guide - Learn about vaults in depth