How to manage credentials

See also: Credential

This document shows how to manage credentials in Juju.

If you’re using the AWS cloud:
You don’t have to use credentials. Instead, you can use instance profiles:

On the AWS website, set up an instance profile.

See more: AWS | Using instance profiles

During controller creation, pass the instance profile as a bootstrap constraint:

juju bootstrap --bootstrap-constraints="instance-role=<aws instance profile>" ...

See more: How to manage machine constraints for a controller, Constraint | instance-role

Contents:

Add a credential
View all the known credentials
View details about a credential
Set the default credential
Relate a remote credential to a model
Update a credential
Remove a credential

Add a credential

The procedure for how to add a cloud credential to Juju depends on whether the cloud is a machine (traditional, non-Kubernetes) cloud or rather a Kubernetes cloud.

Add a credential for a machine cloud
Add a credential for a Kubernetes cloud

Add a credential for a machine cloud

If your cloud is a local LXD cloud and if you are a Juju admin user: Your cloud credential is set up and retrieved automatically for you, so you can skip this step. Run juju credentials to confirm. (If you are not a Juju admin user, run autoload-credentials.)

There are two main ways to add a credential for a machine cloud – manual and automatic. The latter is only supported for some clouds.

Add a credential manually.

To add a machine cloud credential manually, run the add-credential command followed by the name of your machine cloud. For example:

juju add-credential aws

This will start an interactive session where you’ll be asked to choose a cloud region (if applicable), a credential name (you can pick any name you want), an access key, etc.

The command also offers various flags that you can use to provide all this information in one go (e.g., the path to a YAML file containing the credential definition) as an alternative to the interactive session.

See more: juju add-credential

Add a credential automatically.

This method is currently available only for Amazon EC2, Google GCE, OpenStack, and a local LXD cloud.

To add a machine cloud credential automatically, run the autoload-credentials command:

juju autoload-credentials

Juju will scan your local environment variables / rc files and, if it detects something suitable for the present cloud, it will display a prompt asking you to confirm the addition of the credential and to specify a name for it.

For a local LXD cloud with a non-admin user, the command will also ensure that a local certificate is generated for the non-admin user.

See more: juju autoload-credentials

Add a credential for a Kubernetes cloud

If your cloud is a local MicroK8s cloud and if you are a Juju admin user: Your cloud credential is set up and retrieved automatically for you, so you can skip this step. Run juju credentials to confirm.

To add a credential for a Kubernetes cloud, run the add-k8s command followed by the name of your Kubernetes cloud. For example:

juju add-k8s myk8scloud

This command will check your local kubeconfig file and use the cloud and credential definitions in there to at the same time create a Kubernetes cloud and add credentials to it.

The command has flags that allow you to specify a particular clouster to import, a non-default kubeconfig file location, the specific credential to use when accessing the cluster (if there are more than one), etc.

See more: juju add-k8s

View all the known credentials

To see a list of all the known credentials, run the credentials command:

juju credentials

This should output something similar to this:

Controller Credentials:
Cloud           Credentials
lxd             localhost*

Client Credentials:
Cloud   Credentials
aws     bob*, carol
google  wayne

where the asterisk denotes the default credential for a given cloud.

By passing various flags, you can also choose to view just the credentials known to the client, or just those for a particular controller; you can select a different output format or an output file (and also choose to include secrets); etc.

See more: juju credentials

View details about a credential

You can view details about all your credentials at once or just about a specific credential.

All credentials. To view details about all your credentials at once, run the show-credential command with no argument:

juju show-credential

By passing various flags you can filter by controller, select an output format or an output file, etc.

See more: juju show-credential

A specific credential. To view details about just one specific credential, run the show-credential command followed by the name of the cloud and the name of the credential. For example:

juju show-credential mycloud mycredential

By passing various flags you can specify an output format or an output file, display secret attributes, etc.

See more: juju show-credential

Set the default credential

Set. To set the default credential for a cloud on the current client, run the default-credential command followed by the name of the cloud and the name of the credential. For example:

juju default-credential aws carol

See more: juju default-credential

Get. To view the currrently set default credential for a cloud, run the default-credential command followed by the name of the cloud. For example:

juju default-credential aws

This should display the default credential.

See more: juju default-credential

Relate a remote credential to a model

You can only do this if you are a controller admin or a model owner.

To relate a credential to a model, run the set-credential command followed by a flag for the intended model, the host cloud, and the name of the credential. For example:

juju set-credential -m trinity aws bob

If the credential is only known to the client, this will first upload it to the controller and then relate it to the model.

This command does not affect any existing relations between the credential and other models. If the credential is already related to a single model, this operation will simply cause the credential to be related to two models.

See more: juju set-credential

Update a credential

To update a credential, run the update-credential command followed by the name of the cloud and the name of the credential. For example:

juju update-credential mycloud mycredential

This will start an interactive session where you will be asked to specify various parameters for the update.

By passing various flags, you can also perform this operation in-line. And by dropping the credential (and the cloud) argument and passing a flag with a credential YAMl file, you can also update all your credentials at once.

See more: juju update-credential

Remove a credential

To remove a credential, run the remove-credential command followed by the name of the cloud and the name of the credential. For example:

juju remove-credential mycloud mycredential

This will start an interactive session where you will be asked to choose whether to apply this operation for the client or a specific controller or both. You can bypass this by using the client and controller flags in-line.

See more: juju remove-credential

Last updated 29 days ago.

Help improve this document in the forum.