See also: Secret backend
Starting with Juju 3.1.0, you can also manage secret backends in a number of ways.
Configure a secret backend
To configure a secret backend, create a configuration YAML file with configurations supported by your chosen backend type. Below we create a minimal configuration file for a backend type vault, so we name the file vault_config.yaml and specify the API endpoint and the access token.
Currently this is possible only for vault.
A minimal vault backend configuration as below is not secure. For production you should configure your vault backend securely by specifying further configuration keys, following the list of supported keys and recommendations from the upstream Vault documentation.
cat > vault_config.yaml <<EOF
endpoint: http://10.0.0.1:8200
token: s.eujhj
EOF
That’s it. You can now start using this backend by adding it to a model.
See more: Secret backend > Configuration options
Add a secret backend to a model
To add a secret backend to a model, run the add-secret-backend command followed by your desired name and type for the backend, type as well as any relevant options:
juju add-secret-backend myvault vault token-rotate=10m --config /path/to/cfg.yaml
See more:
juju add-secret-backend, Secret backend > Name, Secret backend > Type, Secret backend > Configuration options
To add a secret backend to a controller, on a connected Controller, use the add_secret_backends() method, passing the id, name, backend_type, and config as arguments. For example:
await my_controller.add_secret_backends("1001", "myvault", "vault", {"endpoint": vault_url, "token": keys["root_token"]})
See more:
add_secret_backend(), Controller (module)
View all the secret backends available on a controller
To view all the backends available in the controller, run the secret-backends command:
juju secret-backends
Expand to see a sample output
Backend Type Secrets Message
internal controller 134
foo-local kubernetes 30
bar-local kubernetes 30
myvault vault 20 sealed
The command also has options that allow you to filter by a specific controller or set an output format or an output file or reveal sensitive backend config content.
See more:
juju secret-backends
To view all the backends available in the controller, on a connected Controller, use the list_secret_backends() method.
list = await my_controller.list_secret_backends()
See more:
list_secret_backends(), Controller (module)
View all the secret backends active in a model
To see all the secret backends in use on a model, use the show-model command. Beginning with Juju 3.1, this command also shows the secret backends (though you might have to scroll down to the end).
juju show-model
Expand to see a sample output
mymodel:
name: admin/mymodel
short-name: mymodel
model-uuid: deadbeef-0bad-400d-8000-4b1d0d06f00d
model-type: iaas
controller-uuid: deadbeef-1bad-500d-9000-4b1d0d06f00d
controller-name: kontroll
owner: admin
cloud: aws
region: us-east-1
type: ec2
life: alive
status:
current: available
users:
admin:
display-name: admin
access: admin
last-connection: just now
machines:
"0":
cores: 0
"1":
cores: 2
secret-backends:
myothersecrets:
status: active
secrets: 6
mysecrets:
status:draining
secrets: 5
See more:
juju show-modelstrong text
The python-libjuju client does not currently support this. Please use the juju client.
Change the secret backend to be used by a model
To change the secret backend to be used by a model, use the model-config command with the secret-backend key configured to the name of the secret backend that you want to use, for example, myothersecrets:
juju model-config secret-backend=myothersecrets
After the switch, any new secret revisions are stored in the new backend. Existing revisions continue to be read from the old backend.
See more: How to configure a model, List of model configuration keys >
secret-backend
The python-libjuju client does not currently support this. Please use the juju client.
View details about a secret backend
To view details about a particular secret, use the show-secret-backend command followed by the name of the secret backend. For example, for a secret called myvault, do:
juju show-secret-backend myvault
By passing various options you can also specify a controller, an output format, an output file, or whether to reveal sensitive information.
See more:
juju show-secret-backend
The python-libjuju client does not currently support this. Please use the juju client.
Update a secret backend
To update a secret backend on the controller, run the update-secret-backend command followed by the name of the secret backend. Below we update the backend by supplying a configuration from a file:
juju update-secret-backend myvault --config /path/to/cfg.yaml
See more:
juju update-secret-backend
To update a secret backend on the controller, on a connected Controller, use the update_secret_backends() method, passing the backend name as argument, along with the updated information, such as name_change for a new name. For example:
await my_controller.update_secret_backends(
"myvault",
name_change="changed_name")
Check out the documentation for the full list of arguments.
See more:
update_secret_backend(), Controller (module)
Remove a secret backend
To remove a secret backend, use the remove-secret-backend command followed by the backend name:
juju remove-secret-backend myvault
See more:
juju update-secret-backend
To remove a secret backend on the controller, on a connected Controller, use the remove_secret_backends() method, passing the backend name as argument. For example:
await my_controller.remove_secret_backends("myvault")
Check out the documentation for the full list of arguments.
See more:
remove_secret_backend(), Controller (module)
Contributors: @cderici, @tmihoc, @wallyworld