How to manage secret backends¶
See also: Secret backend
Starting with Juju 3.1.0, you can also manage secret backends in a number of ways.
Configure a secret backend¶
To configure a secret backend, create a configuration YAML file with configurations supported by your chosen backend type. Below we create a minimal configuration file for a backend type vault, so we name the file vault_config.yaml and specify the API endpoint and the access token.
Important
Currently this is possible only for vault.
Caution
A minimal vault backend configuration as below is not secure. For production you should configure your vault backend securely by specifying further configuration keys, following the upstream Vault documentation.
cat > vault_config.yaml <<EOF
endpoint: http://10.0.0.1:8200
token: s.eujhj
EOF
That’s it. You can now start using this backend by adding it to a model.
See more: Configuration options
Add a secret backend to a model¶
To add a secret backend to a model, run the add-secret-backend command followed by your desired name and type for the backend, type as well as any relevant options:
juju add-secret-backend myvault vault token-rotate=10m --config /path/to/cfg.yaml
See more: juju add-secret-backend, Secret backend
View all the secret backends available on a controller¶
To view all the backends available in the controller, run the secret-backends command:
juju secret-backends
Expand to see a sample output
Backend Type Secrets Message
internal controller 134
foo-local kubernetes 30
bar-local kubernetes 30
myvault vault 20 sealed
The command also has options that allow you to filter by a specific controller or set an output format or an output file or reveal sensitive backend config content.
See more: juju secret-backends
View all the secret backends active in a model¶
To see all the secret backends in use on a model, use the show-model command. Beginning with Juju 3.1, this command also shows the secret backends (though you might have to scroll down to the end).
juju show-model
Expand to see a sample output
mymodel:
name: admin/mymodel
short-name: mymodel
model-uuid: deadbeef-0bad-400d-8000-4b1d0d06f00d
model-type: iaas
controller-uuid: deadbeef-1bad-500d-9000-4b1d0d06f00d
controller-name: kontroll
owner: admin
cloud: aws
region: us-east-1
type: ec2
life: alive
status:
current: available
users:
admin:
display-name: admin
access: admin
last-connection: just now
machines:
"0":
cores: 0
"1":
cores: 2
secret-backends:
myothersecrets:
status: active
secrets: 6
mysecrets:
status:draining
secrets: 5
See more: juju show-model
Change the secret backend to be used by a model¶
To change the secret backend to be used by a model, use the model-config command with the secret-backend key configured to the name of the secret backend that you want to use, for example, myothersecrets:
juju model-config secret-backend=myothersecrets
After the switch, any new secret revisions are stored in the new backend. Existing revisions continue to be read from the old backend.
See more: Configure a model, model-config-secret-backend
View details about a secret backend¶
To view details about a particular secret, use the show-secret-backend command followed by the name of the secret backend. For example, for a secret called myvault, do:
juju show-secret-backend myvault
By passing various options you can also specify a controller, an output format, an output file, or whether to reveal sensitive information.
See more: juju show-secret-backend
Update a secret backend¶
To update a secret backend on the controller, run the update-secret-backend command followed by the name of the secret backend. Below we update the backend by supplying a configuration from a file:
juju update-secret-backend myvault --config /path/to/cfg.yaml
See more: juju update-secret-backend
Remove a secret backend¶
To remove a secret backend, use the remove-secret-backend command followed by the backend name:
juju remove-secret-backend myvault
See more: juju update-secret-backend