How to manage credentials
See also: Credential
This document shows how to manage credentials in Juju.
If you’re using the AWS cloud:
You don’t have to use credentials. Instead, you can use instance profiles:
- On the AWS website, set up an instance profile.
See more: AWS | Using instance profiles
- During controller creation, pass the instance profile as a bootstrap constraint:
juju bootstrap --bootstrap-constraints="instance-role=<aws instance profile>" ...
See more: How to manage machine constraints for a controller, Constraint |
instance-role
Contents:
- Add a credential
- View all the known credentials
- View details about a credential
- Set the default credential
- Relate a remote credential to a model
- Update a credential
- Remove a credential
Add a credential
The procedure for how to add a cloud credential to Juju depends on whether the cloud is a machine (traditional, non-Kubernetes) cloud or rather a Kubernetes cloud.
Add a credential for a machine cloud
If your cloud is a local LXD cloud and if you are a Juju admin user:
Your cloud credential is set up and retrieved automatically for you, so you can skip this step. Run juju credentials
to confirm. (If you are not a Juju admin user, run autoload-credentials
.)
There are two main ways to add a credential for a machine cloud – manual and automatic. The latter is only supported for some clouds.
Add a credential manually.
To add a machine cloud credential manually, run the add-credential
command followed by the name of your machine cloud. For example:
juju add-credential aws
This will start an interactive session where you’ll be asked to choose a cloud region (if applicable), a credential name (you can pick any name you want), an access key, etc.
The command also offers various flags that you can use to provide all this information in one go (e.g., the path to a YAML file containing the credential definition) as an alternative to the interactive session.
See more:
juju add-credential
Add a credential automatically.
This method is currently available only for Amazon EC2, Google GCE, OpenStack, and a local LXD cloud.
To add a machine cloud credential automatically, run the autoload-credentials
command:
juju autoload-credentials
Juju will scan your local environment variables / rc files and, if it detects something suitable for the present cloud, it will display a prompt asking you to confirm the addition of the credential and to specify a name for it.
For a local LXD cloud with a non-admin user, the command will also ensure that a local certificate is generated for the non-admin user.
See more:
juju autoload-credentials
Add a credential for a Kubernetes cloud
If your cloud is a local MicroK8s cloud and if you are a Juju admin user:
Your cloud credential is set up and retrieved automatically for you, so you can skip this step. Run juju credentials
to confirm.
To add a credential for a Kubernetes cloud, run the add-k8s
command followed by the name of your Kubernetes cloud. For example:
juju add-k8s myk8scloud
This command will check your local kubeconfig file and use the cloud and credential definitions in there to at the same time create a Kubernetes cloud and add credentials to it.
The command has flags that allow you to specify a particular clouster to import, a non-default kubeconfig file location, the specific credential to use when accessing the cluster (if there are more than one), etc.
See more:
juju add-k8s
View all the known credentials
To see a list of all the known credentials, run the credentials
command:
juju credentials
This should output something similar to this:
Controller Credentials:
Cloud Credentials
lxd localhost*
Client Credentials:
Cloud Credentials
aws bob*, carol
google wayne
where the asterisk denotes the default credential for a given cloud.
By passing various flags, you can also choose to view just the credentials known to the client, or just those for a particular controller; you can select a different output format or an output file (and also choose to include secrets); etc.
See more:
juju credentials
View details about a credential
You can view details about all your credentials at once or just about a specific credential.
All credentials. To view details about all your credentials at once, run the show-credential
command with no argument:
juju show-credential
By passing various flags you can filter by controller, select an output format or an output file, etc.
See more:
juju show-credential
A specific credential. To view details about just one specific credential, run the show-credential
command followed by the name of the cloud and the name of the credential. For example:
juju show-credential mycloud mycredential
By passing various flags you can specify an output format or an output file, display secret attributes, etc.
See more:
juju show-credential
Set the default credential
Set. To set the default credential for a cloud on the current client, run the default-credential
command followed by the name of the cloud and the name of the credential. For example:
juju default-credential aws carol
See more:
juju default-credential
Get. To view the currrently set default credential for a cloud, run the default-credential
command followed by the name of the cloud. For example:
juju default-credential aws
This should display the default credential.
See more:
juju default-credential
Relate a remote credential to a model
You can only do this if you are a controller admin or a model owner.
To relate a credential to a model, run the set-credential
command followed by a flag for the intended model, the host cloud, and the name of the credential. For example:
juju set-credential -m trinity aws bob
If the credential is only known to the client, this will first upload it to the controller and then relate it to the model.
This command does not affect any existing relations between the credential and other models. If the credential is already related to a single model, this operation will simply cause the credential to be related to two models.
See more:
juju set-credential
Update a credential
To update a credential, run the update-credential
command followed by the name of the cloud and the name of the credential. For example:
juju update-credential mycloud mycredential
This will start an interactive session where you will be asked to specify various parameters for the update.
By passing various flags, you can also perform this operation in-line. And by dropping the credential (and the cloud) argument and passing a flag with a credential YAMl file, you can also update all your credentials at once.
See more:
juju update-credential
Remove a credential
To remove a credential, run the remove-credential
command followed by the name of the cloud and the name of the credential. For example:
juju remove-credential mycloud mycredential
This will start an interactive session where you will be asked to choose whether to apply this operation for the client or a specific controller or both. You can bypass this by using the client and controller flags in-line.
See more:
juju remove-credential
Last updated 27 days ago.