How to manage secret backends
See also: Secret backend
Starting with Juju 3.1.0
, you can also manage secret backends in a number of ways.
Contents:
- Configure a secret backend
- Add a secret backend to a model
- View all the secret backends available on a controller
- View all the secret backends active in a model
- Change the secret backend to be used by a model
- View details about a secret backend
- Update a secret backend
- Remove a secret backend
Configure a secret backend
To configure a secret backend, create a configuration YAML file with configurations supported by your chosen backend type. Below we create a minimal configuration file for a backend type vault
, so we name the file vault_config.yaml
and specify the API endpoint
and the access token
.
Currently this is possible only for vault
.
A minimal vault
backend configuration as below is not secure. For production you should configure your vault
backend securely by specifying further configuration keys, following the list of supported keys and recommendations from the upstream Vault documentation.
cat > vault_config.yaml <<EOF
endpoint: http://10.0.0.1:8200
token: s.eujhj
EOF
That’s it. You can now start using this backend by adding it to a model.
See more: Secret backend > Configuration options
Add a secret backend to a model
To add a secret backend to a model, run the add-secret-backend
command followed by your desired name and type for the backend, type as well as any relevant options:
juju add-secret-backend myvault vault token-rotate=10m --config /path/to/cfg.yaml
See more:
juju add-secret-backend
, Secret backend > Name, Secret backend > Type, Secret backend > Configuration options
View all the secret backends available on a controller
To view all the backends available in the controller, run the secret-backends
command:
juju secret-backends
Expand to see a sample output
Backend Type Secrets Message
internal controller 134
foo-local kubernetes 30
bar-local kubernetes 30
myvault vault 20 sealed
The command also has options that allow you to filter by a specific controller or set an output format or an output file or reveal sensitive backend config content.
See more:
juju secret-backends
View all the secret backends active in a model
To see all the secret backends in use on a model, use the show-model
command. Beginning with Juju 3.1
, this command also shows the secret backends (though you might have to scroll down to the end).
juju show-model
Expand to see a sample output
mymodel:
name: admin/mymodel
short-name: mymodel
model-uuid: deadbeef-0bad-400d-8000-4b1d0d06f00d
model-type: iaas
controller-uuid: deadbeef-1bad-500d-9000-4b1d0d06f00d
controller-name: kontroll
owner: admin
cloud: aws
region: us-east-1
type: ec2
life: alive
status:
current: available
users:
admin:
display-name: admin
access: admin
last-connection: just now
machines:
"0":
cores: 0
"1":
cores: 2
secret-backends:
myothersecrets:
status: active
secrets: 6
mysecrets:
status:draining
secrets: 5
See more:
juju show-model
Change the secret backend to be used by a model
To change the secret backend to be used by a model, use the model-config
command with the secret-backend
key configured to the name of the secret backend that you want to use, for example, myothersecrets
:
juju model-config secret-backend=myothersecrets
After the switch, any new secret revisions are stored in the new backend. Existing revisions continue to be read from the old backend.
See more: How to configure a model, List of model configuration keys >
secret-backend
View details about a secret backend
To view details about a particular secret, use the show-secret-backend
command followed by the name of the secret backend. For example, for a secret called myvault
, do:
juju show-secret-backend myvault
By passing various options you can also specify a controller, an output format, an output file, or whether to reveal sensitive information.
See more:
juju show-secret-backend
Update a secret backend
To update a secret backend on the controller, run the update-secret-backend
command followed by the name of the secret backend. Below we update the backend by supplying a configuration from a file:
juju update-secret-backend myvault --config /path/to/cfg.yaml
See more:
juju update-secret-backend
Remove a secret backend
To remove a secret backend, use the remove-secret-backend
command followed by the backend name:
juju remove-secret-backend myvault
See more:
juju remove-secret-backend
Last updated 9 months ago.