What config files are needed for Juju to know where to connect to a model?

Hi,

I’ve been working on a POC for using Terraform at scale with Juju (i.e. something that would work for hundreds of models). I’m pulling secrets (e.g. sensitive data currently defined in juju config, not native juju secrets yet) from a Vault instance using Juju’s new Terraform provider and am pretty happy with progress so far - it’s all working as expected.

Having secrets stored this way is the first part of allowing us to run Terraform from different locations (e.g. trusted machines, service accounts that could provide workflow integration using something like Atlantis). The second part is storing Terraform state in an s3-like container, which will come next in my POC.

However, now that we have integration with Vault from the place we’re running Terraform, it seems like it would make sense to me to store details in Vault about how to connect to the Juju model that you want Terraform to interact with. This way, the workflow could be that you simply authenticate to Vault, pull down secrets and the details about where and how to connect to the Juju model, and now your terraform plan/terraform apply could be run from wherever you want.

So my question is, what values/files would be needed to do this? Is it the entirety of ~/.local/share/juju/{accounts,controllers,models}.yaml or some subset? We should assume that the client in question has no initial state and we would need to sudo snap install juju and then create/update whatever config files are needed to allow it to interact with a particular Juju model. Or maybe there’s a better way to do this than storing/copying credentials? I took a look at juju credentials but that doesn’t seem to work as expected in the particular case I’m looking at, even though juju status works fine:

$ juju credentials
ERROR cloud credentials for "stg-events" not found (not found)
No credentials from any controller to display.

Thanks, Tom