Thales CSM MCP Server

Simple MCP server for Thales CipherTrust Secrets Management, powered by Akeyless.

🎬 Demo Videos

📹 Part I: Usage & Functionality - Watch on YouTube

This video demonstrates:

Setting up Cursor AI integration

Creating and managing secrets and DFC Keys through AI chat

Security compliance workflows

Example prompts and functionality

📹 Part II: Deployment & Installation - Watch on YouTube

This video covers:

Step-by-step installation process

Configuration and setup

Deployment options

🎯 Key Features

Intelligent App Development & Security Migration

The server includes a powerful prompt that automatically determines whether you want to:

Create a NEW app with built-in CipherTrust integration
Secure an EXISTING app by migrating hardcoded secrets to CipherTrust

For New Apps:

Generates complete Python implementations with CipherTrust integration
Uses the get_api_reference tool for native API integration
Provides production-ready code with proper error handling

For Existing Apps:

Scans codebase for hardcoded secrets using intelligent detection
Categorizes secrets by type (key-value pairs vs standalone)
Uses manage_secrets MCP tool to create CipherTrust secrets
Generates migration reports and updated code
Provides testing and validation instructions

Secret Type Classification:

Key-Value Pairs/JSON format: AWS credentials, database configs, OAuth tokens
Standalone Secrets (Text format): Single passwords, individual tokens, certificates

📋 Prerequisites

Before you begin, ensure you have the following installed on your system:

Python 3.8+: Required for running the MCP server
uv: Modern Python package manager (recommended) or pip
git: For cloning the repository
dotenv: Environment variable management
fastmcp: MCP server framework
Thales CipherTrust Manager access
Valid Akeyless credentials

Installing Prerequisites

Python

# Check if Python is installed
python --version
# or
python3 --version

# Install Python (Ubuntu/Debian)
sudo apt update && sudo apt install python3 python3-pip

# Install Python (macOS)
brew install python

# Install Python (Windows)
# Download from https://python.org

uv (Recommended)

# Install uv
pip install uv

# Verify installation
uv --version

git

# Check if git is installed
git --version

# Install git (Ubuntu/Debian)
sudo apt update && sudo apt install git

# Install git (macOS)
brew install git

# Install git (Windows)
# Download from https://git-scm.com

dotenv

# Check if python-dotenv is installed
python -c "import dotenv; print('dotenv available')"

# Install python-dotenv
pip install python-dotenv

# Verify installation
python -c "import dotenv; print(f'dotenv version: {dotenv.__version__}')"

fastmcp

# Check if fastmcp is installed
python -c "import fastmcp; print('fastmcp available')"

# Install fastmcp
pip install fastmcp

# Verify installation
python -c "import fastmcp; print(f'fastmcp version: {fastmcp.__version__}')"

🚀 What this MCP server features

Secrets Management: Create, read, update, delete secrets
DFC Key Management: DFC encryption keys (AES, RSA)
Account Management: Get Akeyless account details
Analytics: Fetch analytics data
Authentication Methods: Manage Authentication Methods
App Development & Security: Intelligent app creation and secret migration
Roles: Manage Roles
Targets: Manage Targets
Security: Guidelines and best practices
MCP Protocol: Model Context Protocol compliance

⚡ Quick Start

1. Install

Option A: Using pip (Traditional)

git clone https://github.com/sanyambassi/thales-cdsp-csm-mcp-server
cd thales-cdsp-csm-mcp-server
pip install -r requirements.txt

Option B: Using uv (Recommended)

# Install uv if you don't have it
pip install uv

# Clone and setup
git clone https://github.com/sanyambassi/thales-cdsp-csm-mcp-server
cd thales-cdsp-csm-mcp-server

# Install dependencies (creates .venv automatically)
uv sync

2. Configure

Create .env file:

AKEYLESS_ACCESS_ID=your_access_id
AKEYLESS_ACCESS_KEY=your_access_key
AKEYLESS_API_URL=https://your-ciphertrust-manager/akeyless-api/v2
LOG_LEVEL=INFO
AKEYLESS_VERIFY_SSL=false

3. Run

Using pip (Traditional)

# stdio mode
python main.py

# HTTP mode 
python main.py --transport streamable-http --host localhost --port 8000

Using uv (Recommended)

# stdio mode
uv run python main.py

# HTTP mode 
uv run python main.py --transport streamable-http --host localhost --port 8000

🛠️ Available Tools

Tool	Description
`manage_secrets`	Create static secrets, get static secret values, update, delete secrets (static, dynamic, rotated) with type filtering and dynamic secret creation
`manage_dfc_keys`	Manage encryption keys
`manage_auth_methods`	Authentication and access control
`manage_rotation`	Secret rotation policies
`manage_customer_fragments`	Enhanced security features
`security_guidelines`	Security best practices
`manage_roles`	List and get role information
`manage_targets`	List, get, and create targets
`manage_analytics`	Get analytics and monitoring data
`manage_account`	Get account settings and licensing
`get_api_reference`	Get API reference for native Akeyless integrations (generic workflows + S3 example)

🔍 Test It

# Run tests
python tests/run_tests.py
python.exe tests\test_mcp_protocol.py

# Test health endpoint (HTTP mode)
curl http://localhost:8000/health

📚 Documentation

TRANSPORT_MODES.md - How to run
TOOLS.md - What tools do
TESTING.md - Complete testing guide
AI Assistant Configs - MCP json examples for AI Assistants

🎯 Use Cases

AI Assistants: Claude Desktop, Cursor AI
Web Applications: REST API integration
Automation: CI/CD, scripts, tools
Enterprise: Secrets management, compliance

🤖 AI Assistant Integration

Claude Desktop

{
  "mcpServers": {
    "thales-csm": {
      "command": "python",
      "args": ["main.py", "--transport", "stdio"],
      "env": {
        "AKEYLESS_ACCESS_ID": "your_access_id_here",
        "AKEYLESS_ACCESS_KEY": "your_access_key_here",
        "AKEYLESS_API_URL": "https://your-ciphertrust-manager/akeyless-api/v2",
        "LOG_LEVEL": "INFO"
      }
    }
  }
}

Cursor AI

{
  "mcpServers": {
    "thales-csm": {
      "command": "python",
      "args": ["main.py", "--transport", "stdio"],
      "env": {
        "AKEYLESS_ACCESS_ID": "your_access_id_here",
        "AKEYLESS_ACCESS_KEY": "your_access_key_here",
        "AKEYLESS_API_URL": "https://your-ciphertrust-manager/akeyless-api/v2",
        "LOG_LEVEL": "INFO"
      }
    }
  }
}

Configuration Parameters

env: Environment variables for Akeyless authentication and logging
command: Python executable to run the server
args: Command line arguments for the server

⚠️ Important Notes

Full Path Required: args must include the full absolute path to main.py
Windows Paths: Use double backslashes \\ in Windows paths (e.g., C:\\thales-cdsp-csm-mcp-server\\main.py)
Unix Paths: Use forward slashes / in Unix/Linux paths (e.g., /home/user/thales-cdsp-csm-mcp-server/main.py)

Configuration Templates

config/mcp-config-uv.json - UV package manager setup
config/mcp-config.json - Basic configuration template

🤝 Support

Issues: GitHub Issues
Documentation: Check the docs folder above

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

Name		Name	Last commit message	Last commit date
Latest commit History 49 Commits
config		config
docs		docs
src/thales_cdsp_csm_mcp_server		src/thales_cdsp_csm_mcp_server
tests		tests
.env.example		.env.example
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
main.py		main.py
pyproject.toml		pyproject.toml
requirements.txt		requirements.txt

License

sanyambassi/thales-cdsp-csm-mcp-server

Folders and files

Latest commit

History

Repository files navigation