See also: Secret
Charms can use relations to share secrets, such as API keys, a database’s address, credentials and so on. This document demonstrates how to interact with them as a Juju user.
The write operations are only available (a) starting with Juju 3.3 and (b) to model admin users looking to manage user-owned secrets. See more: Secret.
Contents:
- Add a secret
- View all the available secrets
- View details about a secret
- Grant access to a secret
- Update a secret
- Remove a secret
Add a secret
To add a (user) secret, run the add-secret
command followed by a secret name and a (space-separated list of) key-value pair(s). This will return a secret ID. For example:
$ juju add-secret dbpassword foo=bar
secret:copp9vfmp25c77di8nm0
The command also allows you to specify the type of key, whether you want to supply its value from a file, whether you want to give it a label, etc.
See more:
juju add-secret
To add a (user) secret on the controller specified in the juju provider definition, in your Terraform plan create a resource of the juju_secret
type, specifying, at the very least, a model, the name of the secret, a values map and, optionally, an info field. For example:
resource "juju_secret" "my-secret" {
model = juju_model.development.name
name = "my_secret_name"
value = {
key1 = "value1"
key2 = "value2"
}
info = "<description of the secret>"
}
See more:
juju_secret
(resource)
To add a (user) secret, on a connected Model, use the add_secret()
method, passing the name of the secret and the data as arguments. For example:
await model.add_secret(name='my-apitoken', data_args=['token=34ae35facd4'])
See more:
add_secret()
, Model (module)
View all the available secrets
To view all the (user and charm) secrets available in a model, run:
juju secrets
You can also add options to specify an output format, a model other than the current model, an owner, etc.
See more:
juju secrets
The terraform juju
client does not support this. Please use the juju
client.
To view all the (user and charm) secrets available in a model, on a connected Model, use the list_secrets()
method.
await model.list_secrets()
See more:
list_secrets()
, Model (module)
View details about a secret
To drill down into a (user or charm) secret, run the show-secret
command followed by the secret name or ID. For example:
juju show-secret 9m4e2mr0ui3e8a215n4g
You can also add options to specify the format, the revision, whether to reveal the value of a secret, etc.
See more:
juju show-secret
The terraform juju
client does not support this. Please use the juju
client.
The python-libjuju
client does not currently support this. Please use the juju
client.
Grant access to a secret
Given a charm that has a configuration option that allows it to be configured with a user secret, to grant the application deployed from it access to the secret, run the grant-secret
command followed by the secret name or ID and by the name of the application. For example:
juju grant-secret dbpassword mysql
Note that this only gives the application permission to use the secret, so you must follow up by giving the application the secret itself, by setting its relevant secret-relation configuration option to the secret URI:
juju config <application> <option>=<secret URI>
See more:
juju grant-secret
Given a model that contains both your (user) secret and the application(s) that you want to grant access to, to grant the application(s) access to the secret, in your Terraform plan create a resource of the juju_access_secret
type, specifying the model, the secret ID, and the application(s) that you wish to grant access to. For example:
resource "juju_access_secret" "my-secret-access" {
model = juju_model.development.name
# Use the secret_id from your secret resource or data source.
secret_id = juju_secret.my-secret.secret_id
applications = [
juju_application.app.name, juju_application.app2.name
]
}
See more:
juju_access_secret
(resource)
Given a model that contains both your (user) secret and the application(s) that you want to grant access to, to grant the application(s) access to the secret, on a connected Model, use the grant_secret()
method, passing the name of the secret and the application name as arguments. For example:
await model.grant_secret('my-apitoken', 'ubuntu')
Similarly, you can use the revoke_secret()
method to revoke access to a secret for an application.
await model.revoke_secret('my-apitoken', 'ubuntu')
See more:
grant_secret()
,revoke_secret()
, Model (module)
Update a secret
This feature is opt-in because Juju automatically removing secret content might result in data loss.
To update a (user) secret, run the update-secret
command followed by the secret ID and the updated (space-separated list of) key-value pair(s). For example:
juju update-secret secret:9m4e2mr0ui3e8a215n4g token=34ae35facd4
See more:
juju update-secret
To update a (user) secret, update its resource definition from your Terraform plan.
To update a (user) secret, on a connected Model, use the update_secret()
method, passing the name of the secret and the updated info arguments. You may pass in data_args
, new_name
, file
and info
to update the secret (check out the documentation for details). For example:
await model.update_secret(name='my-apitoken', new_name='new-token')
See more:
update_secret()
, Model (module)
Remove a secret
To remove all the revisions of a (user) secret, run the remove-secret
command followed by the secret ID. For example:
juju remove-secret secret:9m4e2mr0ui3e8a215n4g
The command also allows you to specify a model or to provide a specific revision to remove instead of the default all.
See more:
juju remove-secret
To remove a secret, remove its resource definition from your Terraform plan.
To remove a secret from a model, on a connected Model, use the remove_secret()
method, passing the name of the secret as an argument. For example:
# Remove all the revisions of a secret
await model.remove_secret('my-apitoken')
# Remove the revision 2 of a secret
await model.remove_secret('my-apitoken', revision=2)
See more:
remove_secret()
, Model (module)
Contributors: @anvial, @cderici, @kelvin.liu , @tmihoc, @tony-meyer , @wallyworld