How to add a cloud credential to the Juju client

Parent page: How to manage credentials

Juju supports three methods for adding credentials:

  • Manually providing credentials via an interactive session with the command line client.
  • Auto-detecting credentials by scanning environment variables and/or “rc” files (only supported for certain providers).
  • Importing credentials from a user-provided, YAML-formatted file.

A local LXD cloud is a special case. When accessed from a Juju admin user, a credential does not need to be added—a 10-yr certificate is automatically set up for you. However, when accessed from a non-admin user, this is not the case. See Additional LXD resources for details.

The Juju client stores any added credentials into $HOME/.local/share/juju/credentials.yaml.

Contents:

Use the interactive method

See also: juju add-credential

The add-credential command can be used to add credentials via an interactive session. For example, to add a credential for an AWS cloud:

juju add-credential aws

Note that credentials can be added to the local client, the currently active controller, or both. The interactive session will display a prompt asking you to select the preferred location for storing the credentials:

This operation can be applied to both a copy on this client and to the one on a controller.
Do you want to add a credential to:
    1. client only (--client)
    2. controller "test" only (--controller mycontroller)
    3. both (--client --controller mycontroller)
Enter your choice, or type Q|q to quit:

Depending on the selected cloud type, the interactive session will then ask a set of questions to collect all the required information for accessing that particular cloud. For instance, the interactive session for adding an AWS credential looks as follows:

Enter credential name: carol

Using auth-type "access-key".

Enter access-key: AKBAICUYUPFXID2GHC5S

Enter secret-key:

Credential "carol" added locally for cloud "aws".

The Juju client allows multiple credentials to be registered for the same cloud. In this case, one of them must be selected as the default. For more information on selecting the default credential for a cloud, consult the instructions in the Setting the default credential for a cloud section.

Use the auto-detection method

See also: juju autoload-credentials

A common pattern used by the set of command line tools that many cloud providers offer as part of their software development kits (SDKs) is to allow users to specify their credentials either via environment variables or via files (colloquially known as “rc” files) that are stored in known, predefined locations.

Juju can auto-detect credentials defined in this fashion for Amazon AWS, Google GCE, and OpenStack using the autoload-credentials command:

juju autoload-credentials

When the above command is executed, Juju will scan the environment variables and, for each detected credential, display a prompt asking you to confirm the addition of the credential and to specify a name for it.

If the cloud credential ever changes, the above process will need to be repeated so that Juju can pick up the updated credential.

Finally, the autoload-credentials command may also be used to generate a certificate for local LXD clouds; this is a requirement when providing access to non-admin Juju users. See Additional LXD resources.

Use a YAML file

See also: juju add-credential ... -f ...

YAML-formatted files provide a way for bulk-importing credentials for one or more clouds. In the YAML file below (mycreds.yaml) you can see an example of how one can specify credentials for several of the cloud types supported by Juju.

Expand YAML file 
credentials:
  aws:
    peter:
      auth-type: access-key
      access-key: AKIAIH7SUFMBP455BSQ
      secret-key: HEg5Y1DuGabiLt72LyCLkKnOw+NZkgszh3qIZbWv
    jlaurin:
      auth-type: access-key
      access-key: AKIAIFII8EH5BOCYSJMA
      secret-key: WXg6S5Y1DvwuGt72LwzLKnItt+GRwlkn668sXHqq
  homemaas: # a MAAS cloud
    peter:
      auth-type: oauth1
      maas-oauth: 5weWAsjhe9lnaLKHERNSlke320ah9naldIHnrelks
  myopenstack: # an OpenStack instance
    john:
      auth-type: access-key
      access-key: bae7651caeab41ed876cfdb342bae23e
      secret-key: 7172bc91a21c3df1787423ac12093bcc
      tenant-name: admin
      username: admin   
  homestack: # another Openstack instance
    peter:
      auth-type: userpass
      password: UberPassK3yz
      tenant-name: appserver
      username: peter
  google:
    peter:
      auth-type: jsonfile
      file: ~/.config/gcloud/application_default_credentials.json
    juju-gce-1-sa:
      auth-type: oauth2
      project-id: juju-gce-1
      private-key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCzTFMj0/GvhrcZ
        3B2584ZdDdsnVuHb7OYo8eqXVLYzXEkby0TMu2gM81LdGp6AeeB3nu5zwAf71YyP
        erF4s0falNPIyRjDGYV1wWR+mRTbVjYUd/Vuy+KyP0u8UwkktwkP4OFR270/HFOl
        Kc0rzflag8zdKzRhi7U1dlgkchbkrio148vdaoZZo67nxFVF2IY52I2qGW8VFdid
        z+B9pTu2ZQKVeEpTVe5XEs3y2Y4zt2DCNu3rJi95AY4VDgVJ5f1rnWf7BwZPeuvp
        0mXLKzcvD31wEcdE6oAaGu0x0UzKvEB1mR1pPwP6qMHdiJXzkiM9DYylrMzuGL/h
        VAYjhFQnAgMBAAECggEADTkKkJ10bEt1FjuJ5BYCyYelRLUMALO4RzpZrXUArHz/
        CN7oYTWykL68VIE+dNJU+Yo6ot99anC8GWclAdyTs5nYnJNbRItafYd+3JwRhU0W
        vYYZqMtXs2mNMYOC+YNkibIKxYZJ4joGksTboRvJne4TN7Et/1uirr+GtLPn+W/e
        umXfkpbOTDDAED8ceKKApAn6kLIW98DwHyK0rUzorOgp4DFDX9CjuWC+RG3CFGsk
        oVOcDuTevJlb9Rowj1S2qYhGjuQVpVD7bcRg5zaSJKS88YbK63DCHZFpXn9JR0Fg
        Vou9dnc99FdMo5vtHg7Adxh91gdqEvoaF1lHx8Var0q32QDse+spvv7K6/+7G35k
        3+1gDgF74/uMr/AVrjpoUjmGAuWweXY/vn1MVN2Uld4KPYafkOF8oTuDK5f1fu0d
        cMEoKRSXQh1NCD3PZWfQt4ypYPzn9R+VBGwnBcPorytlhM9qdLxKKlaHjBlprS6Y
        Be1z6FO+MqWhFlwPrKH/2uwd4QKBgQDCGESJur9OdEeroBQyYyJF7DnJ/+wHSiOr
        qzvb9YW1Ddtg1iiKHHZO5FS59/D62kPaGsysCMKxI9FW53TzSxUiTaEG636C5v8J
        eRdzxX04BNYNzqXbm1agBEjAa7tK8xJAjk0to4zqadUaYZog0uQs2X7Aexj2c9T/
        HQVLILHjBwKBgD/yuoLNbST+cGbuZl1s2EnTP796xPkkUm3qcUzofzmn6uivz7Qp
        FMThZhHZ/Der98tra91a4e8fHaUTL5d4eCMeCL1mWXoNMnm02D/ugpEC8yDefi3T
        xlM/Ed0IEVogcd49tvTvQfrhfbW/6Que/rkLKCoUlAldfIOYkS4YyyTBAoGACCpH
        L9gYVi+UGEc6skfzWCew4quOfVwEFiO09/LjNhOoJ/G6cNzzqSv32H7yt0rZUeKQ
        u6f+sL8F/nbsN5PwBqpnXMgpYU5gakCa2Pb05pdlfd00owFs6nxjpxyhG20QVoDm
        BEZ+FhpvqZVzi2/zw2M+7s/+49dJnZXV9Cwi758CgYAquNdD4RXU96Y2OjTlOSvM
        THR/zY6IPeO+kCwmBLiQC3cv59gaeOp1a93Mnapet7a2/WZPL2Al7zwnvZYsHc4z
        nu1acd6D7H/9bb1YPHMNWITfCSNXerJ2idI689ShYjR2sTcDgiOQCzx+dwL9agaC
        WKjypRHpiAMFbFqPT6W2uA==
        -----END PRIVATE KEY-----
      client-id: "206517233375074786882"
      client-email: juju-gce-sa@juju-gce-123.iam.gserviceaccount.com
  azure:
    peter:
      auth-type: service-principal-secret
      application-id: c07fd75f-dc07-47a1-87ed-123456731897
      subscription-id: bef58c0a-6fca-489d-8297-12345677f276
      application-password: 76ab0f15-4d2e-4dd8-abca-1234567325d5
  oracle:
    jlarin:
      auth-type: httpsig
      fingerprint: a3:57:81:9c:d2:d5:af:31:3b:73:1e:2b:a4:ae:96:ee
      key: |
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: AES-128-CBC,AAAC919B21A2694027DBEB182593FBEC

        MIIEogIBAAKCAQEAoc9jtcvo49FWe3sOhS6c1ExkllNZ61vChsLmMhBCI1vMc8wu
        cMpNmYK1ZA+d2Mm5YWDwn4UrSTzyaFdAIesmRljfbYMGTLznI/nfQMa1hkmplF5Q
        xNPCdzs0afqfnubIyrvCKYfAsRzjCcs7C30n6PzG5WrKxzr1QNvAuvYgjd2oQuSY
        nAhDgdJDkA9UwJFgI1jE8EuoxjkvmyeL76ohe78IEjMzoBBvll/Vd3d8X/hCHt4b
        wkmn3B5+QzXIvYXGhaUoZrmG6V+tsk2H5voJj6TswDB8rqIa1SHbY81wIkMUxbD4
        ScAq8eq2/6ETXcoBULKCjmvyqekJHjT7NngbpwIDAQABAoIBAEEggheIDSK0/UQS
        EZQVYNYqMUo4HjcW5cL/PRvlY1lr92ycQAzxwC4LaArwJi49czn4lKEALp35w++v
        PoboaK1j0/n2BLEaT0YxqmQeFq4INBMdqxCt0tW+pKgLUffZF/RRgiLJGwuufstQ
        W2GSbF/gbgWk6B0sY85JJNebfRrb+qjp5Jz+5t5gNVzOwWWkPYoAKXPd9JHYPFAk
        JCUTloYdf16lBml+nZI7EGojXtHUpdF7KyYRVfXMfxBnaWpVHvoZBk5Vk5qL/boz
        N8W+YahFq9BELavYQ30CZQeWYoD2MaSCWv+WzfkER8YK5Onr+5CSU0lW9dqN6wuv
        LFozUgECgYEAy9vZb+hjn3otkEFvyCGg9wmGIs9Qro3UKJI/mGKQeL7K8sd5WsA6
        mbOkIDbK71ZG+iIfxDXLzRO1ZzPjAX3cReFZ9NFRHngX9xM92UP+icIJkM6m4ImN
        UcaGCZiF0LoKUTAkEw+5rpeudGcgNgaI41RKMUBLyQn5MFo3IAPaO4ECgYEAyzJN
        CqB4e+qJgmc29zKsSfvuofasDTmIMnOZW2ci+tiD/qiH/eJoKHK2F5yGV6/tB2iY
        kFSuzWEwu/Crl7seW6xPY+HYlGLD60ix1aRDEfR48bZqFqlIu7uowI9dp43aOmPU
        1YSgMj8UA+rVqHqrS6IX4iqGbEOuzq0a377qiycCgYA99oUQzsH5J1nSDxG68v3K
        GMr8qacMZ2+lJU7PMqZXDScCxD7Opr8pGME6SW1FciQAw36EVRWtL+BjjhBcw7TA
        SM7e6wCNElO4ddLGxzQHC0N9EFMIzMZ3pK/5arMRznp0Uv2kDZOSzefo2a+gvDu/
        XU9vyOtAIBft6n327TTYAQKBgEE3/OhbRzCmv8oeLNM87XW1qgtMLD72Z1OiLOfc
        e6q90efr2fJQOBQ7dVywvaHpco+9L7Krq4vWlXjdL4ZCCJVuAfFSLPy7kpyzMXkc
        Bvb9W9BiNz3cyd6PxdDTQFhNwbXdE2QQ9IYMHvV+62LvNInLFhVehtS7CKGHiCem
        lItJAoGAdnj8nJRFQCAyIGcYk6bloohXI8ko0KLYbHfQpN9oiZa+5crEMzcFiJnR
        X8rWVPCLZK5gJ56CnP8Iyoqah/hpxTUZoSaJnBb/xa7PCiMq1gBfSF8OYlCsRI0V
        semYTOymUHkZyWGMIhmdn6t1S9sOy2tYjiH6HqumwirxnD5CLDk=
        -----END RSA PRIVATE KEY-----
      pass-phrase: "ChimayBlue"
      tenancy: ocid1.tenancy.oc1..aaaaaaaanoslu5x9e50gvq3mdilr5lzjz4imiwj3ale4s3qyivi5liw6hcia
      user: ocid1.user.oc1..aaaaaaaaizcm5ljvk624qa4ue1i8vx043brrs27656sztwqy5twrplckzghq
  vsphere:
    ashley:
      auth-type: userpass
      password: passw0rd
      user: administrator@xyz.com
  lxd-node2:
    interactive:
      auth-type: interactive
      trust-password: ubuntu

Note that credentials are added to Juju on a per-cloud basis. For instance, the following command can be used to import the credentials for the azure cloud as defined in the above file:

juju add-credential azure -f mycreds.yaml

Last updated a month ago.

Help improve this document in the forum.