In Scenario, the state.Secret data structure encapsulates all information the charm needs to process secret events.
Example usage
from scenario import State, Secret
state = State(
secrets=[
Secret(
id='foo',
contents={0: {'key': 'public'}}
)
]
)
The only mandatory arguments to Secret are its secret ID (which should be unique) and its ‘contents’: that is, a mapping from revision numbers (integers) to a str:str dict representing the payload of the revision.
By default, the secret is not owned by this charm nor is it granted to it. Therefore, if charm code attempted to get that secret revision, it would get a permission error: we didn’t grant it to this charm, nor we specified that the secret is owned by it.
To specify a secret owned by this unit (or app):
from scenario import State, Secret
state = State(
secrets=[
Secret(
id='foo',
contents={0: {'key': 'public'}},
owner='unit', # or 'app'
remote_grants = {0: {"remote"}} # the secret owner has granted access to the "remote" app over some relation with ID 0
)
]
)
To specify a secret owned by some other application and give this unit (or app) access to it:
from scenario import State, Secret
state = State(
secrets=[
Secret(
id='foo',
contents={0: {'key': 'public'}},
# owner=None, which is the default
granted="unit", # or "app",
revision=0, # the revision that this unit (or app) is currently tracking
)
]
)
Other arguments
Regardless of who owns and can read the secret, you can pass a label argument to configure the local label for this secret, a description key that is associated with the Secret, as well as expire and rotate arguments to configure expiration date and rotation policy respectively.
As per ops-scenario==3.0, scenario doesn’t do time simulation, so expiration and rotation, while supported as static metadata values, don’t have any semantics to them.