See also: Secret
Charms can use relations to share secrets, such as API keys, a database’s address, credentials and so on. This document demonstrates how to interact with them as a Juju user.
The write operations are only available (a) starting with Juju 3.3 and (b) to model admin users looking to manage user-owned secrets. See more: Secret.
Contents:
- Add a secret
- View all the available secrets
- View details about a secret
- Grant access to a secret
- Update a secret
- Remove a secret
Add a secret
To add a secret, run the add-secret
command followed by a secret name and a (space-separated list of) key-value pair(s). For example:
juju add-secret dbpassword foo=bar
The command also allows you to specify the type of key, whether you want to supply its value from a file, whether you want to give it a label, etc.
See more:
juju add-secret
To add a secret on the controller specified in the juju provider definition, in your Terraform plan create a resource of the juju_secret
type, specifying, at the very least, a model, the name of the secret, a values map and, optionally, an info field. For example:
resource "juju_secret" "my-secret" {
model = juju_model.development.name
name = "my_secret_name"
value = {
key1 = "value1"
key2 = "value2"
}
info = "<description of the secret>"
}
See more:
juju_secret
(resource)
View all the available secrets
To view all the secrets available in a model, run:
juju secrets
You can also add options to specify an output format, a model other than the current model, an owner, etc.
See more:
juju secrets
The terraform juju
client does not support this. Please use the juju
client.
View details about a secret
To drill down into a secret, run the show-secret
command followed by the secret name or ID. For example:
juju show-secret 9m4e2mr0ui3e8a215n4g
You can also add options to specify the format, the revision, whether to reveal the value of a secret, etc.
See more:
juju show-secret
The terraform juju
client does not support this. Please use the juju
client.
Grant access to a secret
To grant an application access to a secret, run the grant-secret
command followed by the secret name or ID and by the name of the application. For example:
juju grant-secret dbpassword mysql
For the application to be able to use the secret, it needs to be configured with the secret URI. It is possible a given charm may not have a secret configuration option.
See more:
juju grant-secret
Given a model that contains both your secret and the application(s) that you want to grant access to, to grant the application(s) access to the secret, in your Terraform plan create a resource of the juju_access_secret
type, specifying the model, the secret ID, and the application(s) that you wish to grant access to. For example:
resource "juju_access_secret" "my-secret-access" {
model = juju_model.development.name
# Use the secret_id from your secret resource or data source.
secret_id = juju_secret.my-secret.secret_id
applications = [
juju_application.app.name, juju_application.app2.name
]
}
See more:
juju_access_secret
(resource)
Update a secret
This feature is opt-in because Juju automatically removing secret content might result in data loss.
To update a secret, run the update-secret
command followed by the secret ID and the updated (space-separated list of) key-value pair(s). For example:
juju update-secret secret:9m4e2mr0ui3e8a215n4g token=34ae35facd4
See more:
juju update-secret
To update a secret, update its resource definition from your Terraform plan.
Remove a secret
To remove all the revisions of a secret, run the remove-secret
command followed by the secret ID. For example:
juju remove-secret secret:9m4e2mr0ui3e8a215n4g
The command also allows you to specify a model or to provide a specific revision to remove instead of the default all.
See more:
juju remove-secret
To remove a secret, remove its resource definition from your Terraform plan.
Contributors: @anvial, @kelvin.liu , @wallyworld