See also: Secret
Charms can use relations to share secrets, such as API keys, a database’s address, credentials and so on. This document demonstrates how to interact with them as a Juju user.
The write operations are only available (a) starting with Juju 3.3 and (b) to model admin users looking to manage user-owned secrets. See more: Secret.
Contents:
- Add a secret
- View all the available secrets
- View details about a secret
- Grant access to a secret
- Update a secret
- Remove a secret
Add a secret
To add a secret, run the add-secret command followed by a secret name and a (space-separated list of) key-value pair(s). For example:
juju add-secret dbpassword foo=bar
The command also allows you to specify the type of key, whether you want to supply its value from a file, whether you want to give it a label, etc.
See more:
juju add-secret
To add a secret on the controller specified in the juju provider definition, in your Terraform plan create a resource of the juju_secret type, specifying, at the very least, a model name, name of secret, a values map and info (optional). For example:
resource "juju_secret" "my-secret" {
model = juju_model.development.name
name = "my_secret_name"
value = {
key1 = "value1"
key2 = "value2"
}
info = "This is the secret"
}
See more:
juju_secret(resource)
View all the available secrets
To view all the secrets available in a model, run:
juju secrets
You can also add options to specify an output format, a model other than the current model, an owner, etc.
See more:
juju secrets
The terraform juju client does not support this. Please use the juju client.
View details about a secret
To drill down into a secret, run the show-secret command followed by the secret name or ID. For example:
juju show-secret 9m4e2mr0ui3e8a215n4g
You can also add options to specify the format, the revision, whether to reveal the value of a secret, etc.
See more:
juju show-secret
The terraform juju client does not support this. Please use the juju client.
Grant access to a secret
To grant a secret to an application, run the grant-secret command followed by the secret name or ID and by the name of the application. For example:
juju grant-secret dbpassword mysql
For the application to be able to use the secret, it needs to be configured with the secret URI. 
It is possible a given charm may not have a secret configuration option.
See more:
juju grant-secret
To grant access to a secret on the controller specified in the juju provider definition, in your Terraform plan create a resource of the juju_access_secret type, specifying list of apps you wish to grant access. For example:
resource "juju_secret" "my-secret" {
model = juju_model.development.name
name = "my_secret_name"
value = {
key1 = "value1"
key2 = "value2"
}
info = "This is the secret"
}
resource "juju_access_secret" "my-secret-access" {
model = juju_model.development.name
applications = [
juju_application.app.name, juju_application.app2.name
]
# Use the secret_id from your secret resource or data source.
secret_id = juju_secret.my-secret.secret_id
}
See more:
juju_access_secret(resource)
Update a secret
This feature is opt-in because Juju automatically removing secret content might result in data loss.
To update a secret, run the update-secret command followed by the secret ID and the updated (space-separated list of) key-value pair(s). For example:
juju update-secret secret:9m4e2mr0ui3e8a215n4g token=34ae35facd4
See more:
juju update-secret
To update a secret, update its resource definition from your Terraform plan.
Remove a secret
To remove all the revisions of a secret, run the remove-secret command followed by the secret ID. For example:
juju remove-secret secret:9m4e2mr0ui3e8a215n4g
The command also allows you to specify a model or to provide a specific revision to remove instead of the default all.
See more:
juju remove-secret
To remove an application, remove its resource definition from your Terraform plan.
Contributors: @kelvin.liu , @wallyworld, @anvial