How to manage secret backends
See also: Secret backend
Starting with Juju
3.1.0, you can also manage secret backends in a number of ways.
- Configure a secret backend
- Add a secret backend to a model
- View all the secret backends available on a controller
- View all the secret backends active in a model
- Change the secret backend to be used by a model
- View details about a secret backend
- Update a secret backend
- Remove a secret backend
To configure a secret backend, create a configuration YAML file with configurations supported by your chosen backend type. Below we create a minimal configuration file for a backend type
vault, so we name the file
vault_config.yaml and specify the API
endpoint and the access
Currently this is possible only for
vault backend configuration as below is not secure. For production you should configure your
vault backend securely by specifying further configuration keys, following the list of supported keys and recommendations from the upstream Vault documentation.
cat > vault_config.yaml <<EOF endpoint: http://10.0.0.1:8200 token: s.eujhj EOF
That’s it. You can now start using this backend by adding it to a model.
See more: Secret backend > Configuration options
To add a secret backend to a model, run the
add-secret-backend command followed by your desired name and type for the backend, type as well as any relevant options:
juju add-secret-backend myvault vault token-rotate=10m --config /path/to/cfg.yaml
To view all the backends available in the controller, run the
Expand to see a sample output
Backend Type Secrets Message internal controller 134 foo-local kubernetes 30 bar-local kubernetes 30 myvault vault 20 sealed
The command also has options that allow you to filter by a specific controller or set an output format or an output file or reveal sensitive backend config content.
To see all the secret backends in use on a model, use the
show-model command. Beginning with Juju
3.1, this command also shows the secret backends (though you might have to scroll down to the end).
Expand to see a sample output
mymodel: name: admin/mymodel short-name: mymodel model-uuid: deadbeef-0bad-400d-8000-4b1d0d06f00d model-type: iaas controller-uuid: deadbeef-1bad-500d-9000-4b1d0d06f00d controller-name: kontroll owner: admin cloud: aws region: us-east-1 type: ec2 life: alive status: current: available users: admin: display-name: admin access: admin last-connection: just now machines: "0": cores: 0 "1": cores: 2 secret-backends: myothersecrets: status: active secrets: 6 mysecrets: status:draining secrets: 5
To change the secret backend to be used by a model, use the
model-config command with the
secret-backend key configured to the name of the secret backend that you want to use, for example,
juju model-config secret-backend=myothersecrets
After the switch, any new secret revisions are stored in the new backend. Existing revisions continue to be read from the old backend.
To view details about a particular secret, use the
show-secret-backend command followed by the name of the secret backend. For example, for a secret called
juju show-secret-backend myvault
By passing various options you can also specify a controller, an output format, an output file, or whether to reveal sensitive information.
To update a secret backend on the controller, run the
update-secret-backend command followed by the name of the secret backend. Below we update the backend by supplying a configuration from a file:
juju update-secret-backend myvault --config /path/to/cfg.yaml
To remove a secret backend, use the
remove-secret-backend command followed by the backend name:
juju remove-secret-backend myvault
Last updated 9 months ago.