Thales CSM MCP Server

Simple MCP server for Thales CipherTrust Secrets Management, powered by Akeyless.

🎬 Demo Videos

📹 Part I: Usage & Functionality - Watch on YouTube

This video demonstrates:

• Setting up Cursor AI integration
• Creating and managing secrets and DFC Keys through AI chat
• Security compliance workflows
• Example prompts and functionality

📹 Part II: Deployment & Installation - Watch on YouTube

This video covers:

• Step-by-step installation process
• Configuration and setup
• Deployment options

🎯 Key Features

Intelligent App Development & Security Migration

The server includes a powerful prompt that automatically determines whether you want to:

• Create a NEW app with built-in CipherTrust integration
• Secure an EXISTING app by migrating hardcoded secrets to CipherTrust

For New Apps:

• Generates complete Python implementations with CipherTrust integration
• Uses the get_api_reference tool for native API integration
• Provides production-ready code with proper error handling

For Existing Apps:

• Scans codebase for hardcoded secrets using intelligent detection
• Categorizes secrets by type (key-value pairs vs standalone)
• Uses manage_secrets MCP tool to create CipherTrust secrets
• Generates migration reports and updated code
• Provides testing and validation instructions

Secret Type Classification:

• Key-Value Pairs/JSON format: AWS credentials, database configs, OAuth tokens
• Standalone Secrets (Text format): Single passwords, individual tokens, certificates

📋 Prerequisites

Before you begin, ensure you have the following installed on your system:

• Python 3.8+: Required for running the MCP server
• uv: Modern Python package manager (recommended) or pip
• git: For cloning the repository
• dotenv: Environment variable management
• fastmcp: MCP server framework
• Thales CipherTrust Manager access
• Valid Akeyless credentials

Installing Prerequisites

Python

# Check if Python is installed
python --version
# or
python3 --version

# Install Python (Ubuntu/Debian)
sudo apt update && sudo apt install python3 python3-pip

# Install Python (macOS)
brew install python

# Install Python (Windows)
# Download from https://python.org

uv (Recommended)

# Install uv
pip install uv

# Verify installation
uv --version

git

# Check if git is installed
git --version

# Install git (Ubuntu/Debian)
sudo apt update && sudo apt install git

# Install git (macOS)
brew install git

# Install git (Windows)
# Download from https://git-scm.com

dotenv

# Check if python-dotenv is installed
python -c "import dotenv; print('dotenv available')"

# Install python-dotenv
pip install python-dotenv

# Verify installation
python -c "import dotenv; print(f'dotenv version: {dotenv.__version__}')"

fastmcp

# Check if fastmcp is installed
python -c "import fastmcp; print('fastmcp available')"

# Install fastmcp
pip install fastmcp

# Verify installation
python -c "import fastmcp; print(f'fastmcp version: {fastmcp.__version__}')"

🚀 What this MCP server features

• Secrets Management: Create, read, update, delete secrets
• DFC Key Management: DFC encryption keys (AES, RSA)
• Account Management: Get Akeyless account details
• Analytics: Fetch analytics data
• Authentication Methods: Manage Authentication Methods
• App Development & Security: Intelligent app creation and secret migration
• Roles: Manage Roles
• Targets: Manage Targets
• Security: Guidelines and best practices
• MCP Protocol: Model Context Protocol compliance

⚡ Quick Start

1. Install

Option A: Using pip (Traditional)

git clone https://github.com/sanyambassi/thales-cdsp-csm-mcp-server
cd thales-cdsp-csm-mcp-server
pip install -r requirements.txt

Option B: Using uv (Recommended)

# Install uv if you don't have it
pip install uv

# Clone and setup
git clone https://github.com/sanyambassi/thales-cdsp-csm-mcp-server
cd thales-cdsp-csm-mcp-server

# Install dependencies (creates .venv automatically)
uv sync

2. Configure

Create .env file:

AKEYLESS_ACCESS_ID=your_access_id
AKEYLESS_ACCESS_KEY=your_access_key
AKEYLESS_API_URL=https://your-ciphertrust-manager/akeyless-api/v2
LOG_LEVEL=INFO
AKEYLESS_VERIFY_SSL=false

3. Run

Using pip (Traditional)

# stdio mode
python main.py

# HTTP mode 
python main.py --transport streamable-http --host localhost --port 8000

Using uv (Recommended)

# stdio mode
uv run python main.py

# HTTP mode 
uv run python main.py --transport streamable-http --host localhost --port 8000

🛠️ Available Tools

Tool	Description
manage_secrets	Create static secrets, get static secret values, update, delete secrets (static, dynamic, rotated) with type filtering and dynamic secret creation
manage_dfc_keys	Manage encryption keys
manage_auth_methods	Authentication and access control
manage_rotation	Secret rotation policies
manage_customer_fragments	Enhanced security features
security_guidelines	Security best practices
manage_roles	List and get role information
manage_targets	List, get, and create targets
manage_analytics	Get analytics and monitoring data
manage_account	Get account settings and licensing
get_api_reference	Get API reference for native Akeyless integrations (generic workflows + S3 example)

🔍 Test It

# Run tests
python tests/run_tests.py
python.exe tests\test_mcp_protocol.py

# Test health endpoint (HTTP mode)
curl http://localhost:8000/health

📚 Documentation

• TRANSPORT_MODES.md - How to run
• TOOLS.md - What tools do
• TESTING.md - Complete testing guide
• AI Assistant Configs - MCP json examples for AI Assistants

🎯 Use Cases

• AI Assistants: Claude Desktop, Cursor AI
• Web Applications: REST API integration
• Automation: CI/CD, scripts, tools
• Enterprise: Secrets management, compliance

🤖 AI Assistant Integration

Claude Desktop

{
  "mcpServers": {
    "thales-csm": {
      "command": "python",
      "args": ["main.py", "--transport", "stdio"],
      "env": {
        "AKEYLESS_ACCESS_ID": "your_access_id_here",
        "AKEYLESS_ACCESS_KEY": "your_access_key_here",
        "AKEYLESS_API_URL": "https://your-ciphertrust-manager/akeyless-api/v2",
        "LOG_LEVEL": "INFO"
      }
    }
  }
}

Cursor AI

{
  "mcpServers": {
    "thales-csm": {
      "command": "python",
      "args": ["main.py", "--transport", "stdio"],
      "env": {
        "AKEYLESS_ACCESS_ID": "your_access_id_here",
        "AKEYLESS_ACCESS_KEY": "your_access_key_here",
        "AKEYLESS_API_URL": "https://your-ciphertrust-manager/akeyless-api/v2",
        "LOG_LEVEL": "INFO"
      }
    }
  }
}

Configuration Parameters

• env: Environment variables for Akeyless authentication and logging
• command: Python executable to run the server
• args: Command line arguments for the server

⚠️ Important Notes

• Full Path Required: args must include the full absolute path to main.py
• Windows Paths: Use double backslashes \\ in Windows paths (e.g., C:\\thales-cdsp-csm-mcp-server\\main.py)
• Unix Paths: Use forward slashes / in Unix/Linux paths (e.g., /home/user/thales-cdsp-csm-mcp-server/main.py)

Configuration Templates

• config/mcp-config-uv.json - UV package manager setup
• config/mcp-config.json - Basic configuration template

🤝 Support

• Issues: GitHub Issues
• Documentation: Check the docs folder above

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.