How to manage secret backends

tmihoc · 6 February 2023 18:08

See also: Secret backend

Starting with Juju 3.1.0, you can also manage secret backends in a number of ways.

Contents:

Configure a secret backend
Add a secret backend to a model
View all the secret backends available on a controller
View all the secret backends active in a model
Change the secret backend to be used by a model
View details about a secret backend
Update a secret backend
Remove a secret backend

Configure a secret backend

To configure a secret backend, create a configuration YAML file with configurations supported by your chosen backend type. Below we create a minimal configuration file for a backend type vault, so we name the file vault_config.yaml and specify the API endpoint and the access token.

Currently this is possible only for vault.

A minimal vault backend configuration as below is not secure. For production you should configure your vault backend securely by specifying further configuration keys, following the list of supported keys and recommendations from the upstream Vault documentation.

cat > vault_config.yaml <<EOF
endpoint: http://10.0.0.1:8200
token: s.eujhj
EOF

That’s it. You can now start using this backend by adding it to a model.

See more: Secret backend > Configuration options

Add a secret backend to a model

To add a secret backend to a model, run the add-secret-backend command followed by your desired name and type for the backend, type as well as any relevant options:

juju add-secret-backend myvault vault token-rotate=10m --config /path/to/cfg.yaml

See more: juju add-secret-backend, Secret backend > Name, Secret backend > Type, Secret backend > Configuration options

View all the secret backends available on a controller

To view all the backends available in the controller, run the secret-backends command:

juju secret-backends

Expand to see a sample output

Backend           Type        Secrets  Message
internal          controller      134  
foo-local         kubernetes       30
bar-local         kubernetes       30
myvault           vault            20  sealed

The command also has options that allow you to filter by a specific controller or set an output format or an output file or reveal sensitive backend config content.

See more: juju secret-backends

View all the secret backends active in a model

To see all the secret backends in use on a model, use the show-model command. Beginning with Juju 3.1, this command also shows the secret backends (though you might have to scroll down to the end).

juju show-model

Expand to see a sample output

mymodel:
  name: admin/mymodel
  short-name: mymodel
  model-uuid: deadbeef-0bad-400d-8000-4b1d0d06f00d
  model-type: iaas
  controller-uuid: deadbeef-1bad-500d-9000-4b1d0d06f00d
  controller-name: kontroll
  owner: admin
  cloud: aws
  region: us-east-1
  type: ec2
  life: alive
  status:
	current: available
  users:
	admin:
  	display-name: admin
  	access: admin
  	last-connection: just now
  machines:
	"0":
  	  cores: 0
	"1":
  	  cores: 2
  secret-backends:
	myothersecrets:
  	  status: active
	  secrets: 6
	mysecrets:
  	  status:draining
	  secrets: 5

See more: juju show-modelstrong text

Change the secret backend to be used by a model

To change the secret backend to be used by a model, use the model-config command with the secret-backend key configured to the name of the secret backend that you want to use, for example, myothersecrets:

juju model-config secret-backend=myothersecrets

After the switch, any new secret revisions are stored in the new backend. Existing revisions continue to be read from the old backend.

See more: How to configure a model, List of model configuration keys > secret-backend

View details about a secret backend

To view details about a particular secret, use the show-secret-backend command followed by the name of the secret backend. For example, for a secret called myvault, do:

juju show-secret-backend myvault

By passing various options you can also specify a controller, an output format, an output file, or whether to reveal sensitive information.

See more: juju show-secret-backend

Update a secret backend

To update a secret backend on the controller, run the update-secret-backend command followed by the name of the secret backend. Below we update the backend by supplying a configuration from a file:

juju update-secret-backend myvault --config /path/to/cfg.yaml

See more: juju update-secret-backend

Remove a secret backend

To remove a secret backend, use the remove-secret-backend command followed by the backend name:

juju remove-secret-backend myvault

See more: juju update-secret-backend

Contributors: @tmihoc, @wallyworld