3.4 KiB
Session Log — 2026-06-09 — Datto RMM API Credential Vaulting
User
- User: Mike Swanson (mike)
- Machine: GURU-5070
- Role: admin
Session Summary
Routine /sync at session start — repo was already in sync (HEAD 2a006483), no commits moved in either direction, vault clean.
Mike asked to check the Downloads folder for a Datto RMM API text file. Located two files: DattoRMM-API.txt (plaintext API key/secret for the zinfandel CentraStage platform) and DattoRMMDevices.csv (a device export). He confirmed he had staged the credentials there for collection and vaulting.
Vaulted the Datto RMM API credentials into the SOPS vault at msp-tools/datto-rmm.sops.yaml, matching the existing msp-tools API-key schema (modeled on autotask.sops.yaml / msp360-api.sops.yaml). Wrote the plaintext entry, encrypted in place with sops --encrypt --in-place, verified the round-trip decrypt, then committed and pushed the vault repo. The credentials and notes blocks encrypted; structural metadata (base URL, swagger link, tags) left readable. Encrypted to both age recipients (Mike + Howard).
Mike opted to delete the Downloads source files himself, then requested a save + machine reboot.
Key Decisions
- Placed the entry under
msp-tools/(alongside autotask, syncro, gravityzone, msp360-api) rather thanclients/orservices/— Datto RMM is an MSP-wide tool, not client- or single-service-scoped. - Used
kind: api-keyschema withcredentials.api_key/credentials.api_secretto match the encrypted_regex (^(credentials|password|secret|api_key|token|...|notes|content)$) so the secret fields cipher automatically. - Encrypted via direct
sops --encrypt --in-placeon a hand-written plaintext file rather thanvault add+vault edit(edit opens$EDITORinteractively — not usable non-interactively). - Left
DattoRMMDevices.csvuntouched (device data, not a credential); deferred its disposition to Mike.
Configuration Changes
- Created:
D:/vault/msp-tools/datto-rmm.sops.yaml(encrypted, committed + pushed to vault repo)
Credentials & Secrets
- Datto RMM API (zinfandel / CentraStage) — vaulted at
msp-tools/datto-rmm.sops.yaml- api_key:
DGV7L0HT8GL9P0D0H7OBDO5EFP328LAS - api_secret:
52RAI4OO0B3U4LLN0A54GNP9ARE0L536 - Retrieve:
bash .claude/scripts/vault.sh get msp-tools/datto-rmm.sops.yaml
- api_key:
Infrastructure & Servers
- Datto RMM API base URL:
https://zinfandel-api.centrastage.net - Swagger UI:
https://zinfandel-api.centrastage.net/api/swagger-ui/index.html - Auth: OAuth2 password grant (api_key + api_secret → bearer token → REST under
/api)
Commands & Outputs
sops --encrypt --in-place msp-tools/datto-rmm.sops.yaml→ encrypted; decrypt round-trip confirmed both secret fields intact.- Vault commit:
vault: add Datto RMM (zinfandel) API credentials— pushed to origin.
Pending / Incomplete Tasks
- Mike to delete plaintext source
C:\Users\guru\Downloads\DattoRMM-API.txt(now redundant — vaulted). - Disposition of
C:\Users\guru\Downloads\DattoRMMDevices.csvundecided (leave / vault / import). - No Datto RMM integration code written yet — credentials are collected only.
- Machine reboot requested after save.
Reference Information
- Vault entry:
msp-tools/datto-rmm.sops.yaml - Source files:
C:\Users\guru\Downloads\DattoRMM-API.txt,C:\Users\guru\Downloads\DattoRMMDevices.csv - Session-start HEAD:
2a006483