Overview
By default, secrets and containers are private to the project that created them. ACLs grant specific users read access to secrets and containers across project boundaries, enabling secure credential sharing without exposing the payload itself.Prerequisites
- An active Xloud account with appropriate permissions
- Access to the Xloud Dashboard (
https://connect.<your-domain>) or CLI configured with credentials - API credentials sourced (
source admin-openrc.sh)
ACL Concepts
| Concept | Description |
|---|---|
| read | Allows the grantee to retrieve the secret payload or container contents |
| per-user ACL | Grants access to specific user IDs — most restrictive and recommended for sensitive secrets |
| project-access | Grants all users in the secret’s own project read access — use only for non-sensitive shared config |
View Current ACL
Show ACL on a secret
Show ACL on a container
Grant Access
- Dashboard
- CLI
Navigate to Project → Key Manager → Secrets, select a secret, and click the
Access Control tab. Click Add ACL to grant access to a specific user.
| Field | Description |
|---|---|
| Operation | read — allows the user to retrieve the secret payload |
| Users | Xloud user IDs to grant the permission |
| Project Access | Toggle to grant all users in the secret’s project read access |
Revoke Access
Revoke all ACL entries on a secret
Update ACL to remove a specific user
openstack acl submit replaces the entire ACL. To remove one user, resubmit the ACL
with only the users that should retain access. There is no append/remove operation.Find Your User ID
Get the current user's ID
Look up another user's ID (admin)
Next Steps
Store Secrets
Create secrets before configuring ACL access
Containers
Apply ACLs at the container level for grouped secret access
Troubleshooting
Resolve 403 errors and ACL propagation issues
Key Manager Admin Guide
Configure platform-wide access policies and quotas