Sharing secrets via ACLs
Normally, a Barbican secret is only available to the OpenStack API user that created it. However, under some circumstances it may be desirable to make a secret available to another user.
To do so, you will need
- the secret’s URI,
- the other user’s OpenStack API user ID.
Any Cleura Cloud user can always retrieve their own user ID with the following command:
openstack token issue -f value -c user_id
Once you have assembled this information, you can proceed with the
openstack acl user add command:
openstack acl user add \ --user <user_id> \ --operation-type read \ https://region.citycloud.com:9311/v1/secrets/<secret_id>
If you want to unshare the secret again, you simply use the
openstack acl user remove command:
openstack acl user remove \ --user <user_id> \ --operation-type read \ https://region.citycloud.com:9311/v1/secrets/<secret_id>