How to manage secrets

See also: Secret

Charms can use relations to share secrets, such as API keys, a database’s address, credentials and so on. This document demonstrates how to interact with them as a Juju user.

The write operations are only available (a) starting with Juju 3.3 and (b) to model admin users looking to manage user-owned secrets. See more: Secret.

Contents:

Add a secret

To add a (user) secret, run the add-secret command followed by a secret name and a (space-separated list of) key-value pair(s). This will return a secret ID. For example:

$ juju add-secret dbpassword foo=bar
secret:copp9vfmp25c77di8nm0

The command also allows you to specify the type of key, whether you want to supply its value from a file, whether you want to give it a label, etc.

See more: juju add-secret

To add a (user) secret on the controller specified in the juju provider definition, in your Terraform plan create a resource of the juju_secret type, specifying, at the very least, a model, the name of the secret, a values map and, optionally, an info field. For example:

resource "juju_secret" "my-secret" {
  model = juju_model.development.name
  name  = "my_secret_name"
  value = {
    key1 = "value1"
    key2 = "value2"
  }
  info = "<description of the secret>"
}

See more: juju_secret (resource)

To add a (user) secret, on a connected Model, use the add_secret() method, passing the name of the secret and the data as arguments. For example:

await model.add_secret(name='my-apitoken', data_args=['token=34ae35facd4'])

See more: add_secret(), Model (module)

View all the available secrets

To view all the (user and charm) secrets available in a model, run:

juju secrets

You can also add options to specify an output format, a model other than the current model, an owner, etc.

See more: juju secrets

The terraform juju client does not support this. Please use the juju client.

To view all the (user and charm) secrets available in a model, on a connected Model, use the list_secrets() method.

await model.list_secrets()

See more: list_secrets(), Model (module)

View details about a secret

To drill down into a (user or charm) secret, run the show-secret command followed by the secret name or ID. For example:

juju show-secret 9m4e2mr0ui3e8a215n4g

You can also add options to specify the format, the revision, whether to reveal the value of a secret, etc.

See more: juju show-secret

The terraform juju client does not support this. Please use the juju client.

The python-libjuju client does not currently support this. Please use the juju client.

Grant access to a secret

Given a charm that has a configuration option that allows it to be configured with a user secret, to grant the application deployed from it access to the secret, run the grant-secret command followed by the secret name or ID and by the name of the application. For example:

juju grant-secret dbpassword mysql

Note that this only gives the application permission to use the secret, so you must follow up by giving the application the secret itself, by setting its relevant secret-relation configuration option to the secret URI:

juju config <application> <option>=<secret URI>

See more: juju grant-secret

Given a model that contains both your (user) secret and the application(s) that you want to grant access to, to grant the application(s) access to the secret, in your Terraform plan create a resource of the juju_access_secret type, specifying the model, the secret ID, and the application(s) that you wish to grant access to. For example:

resource "juju_access_secret" "my-secret-access" {
  model = juju_model.development.name

  # Use the secret_id from your secret resource or data source.
  secret_id = juju_secret.my-secret.secret_id

  applications = [
    juju_application.app.name, juju_application.app2.name
  ]
}

See more: juju_access_secret (resource)

Given a model that contains both your (user) secret and the application(s) that you want to grant access to, to grant the application(s) access to the secret, on a connected Model, use the grant_secret() method, passing the name of the secret and the application name as arguments. For example:

await model.grant_secret('my-apitoken', 'ubuntu')

Similarly, you can use the revoke_secret() method to revoke access to a secret for an application.

await model.revoke_secret('my-apitoken', 'ubuntu')

See more: grant_secret(), revoke_secret(), Model (module)

Update a secret

This feature is opt-in because Juju automatically removing secret content might result in data loss.

To update a (user) secret, run the update-secret command followed by the secret ID and the updated (space-separated list of) key-value pair(s). For example:

juju update-secret secret:9m4e2mr0ui3e8a215n4g token=34ae35facd4

See more: juju update-secret

To update a (user) secret, update its resource definition from your Terraform plan.

To update a (user) secret, on a connected Model, use the update_secret() method, passing the name of the secret and the updated info arguments. You may pass in data_args, new_name, file and info to update the secret (check out the documentation for details). For example:

await model.update_secret(name='my-apitoken', new_name='new-token')

See more: update_secret(), Model (module)

Remove a secret

To remove all the revisions of a (user) secret, run the remove-secret command followed by the secret ID. For example:

juju remove-secret  secret:9m4e2mr0ui3e8a215n4g

The command also allows you to specify a model or to provide a specific revision to remove instead of the default all.

See more: juju remove-secret

To remove a secret, remove its resource definition from your Terraform plan.

To remove a secret from a model, on a connected Model, use the remove_secret() method, passing the name of the secret as an argument. For example:

# Remove all the revisions of a secret 
await model.remove_secret('my-apitoken')

# Remove the revision 2 of a secret 
await model.remove_secret('my-apitoken', revision=2)

See more: remove_secret(), Model (module)


Contributors: @anvial, @cderici, @kelvin.liu , @tmihoc, @tony-meyer , @wallyworld