> ## Documentation Index > Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt > Use this file to discover all available pages before exploring further. # Secret Access Control (ACL) > Configure ACLs on secrets and containers in Xloud Key Manager to grant per-user and per-project access without sharing credentials. ## Overview By default, secrets and containers are private to the project that created them. ACLs grant specific users read access to secrets and containers across project boundaries, enabling secure credential sharing without exposing the payload itself. **Prerequisites** * An active Xloud account with appropriate permissions * Access to the **Xloud Dashboard** or CLI configured with credentials * API credentials sourced (`source openrc.sh`) *** ## ACL Concepts | Concept | Description | | ------------------ | --------------------------------------------------------------------------------------------------- | | **read** | Allows the grantee to retrieve the secret payload or container contents | | **per-user ACL** | Grants access to specific user IDs — most restrictive and recommended for sensitive secrets | | **project-access** | Grants all users in the secret's own project read access — use only for non-sensitive shared config | *** ## View Current ACL ```bash title="Show ACL on a secret" theme={null} openstack acl get ``` ```bash title="Show ACL on a container" theme={null} openstack acl get ``` *** ## Grant Access Navigate to **Key Manager > Secrets**, select a secret, and click the **Access Control** tab. Click **Add ACL** to grant access to a specific user. | Field | Description | | ------------------ | ------------------------------------------------------------- | | **Operation** | `read` — allows the user to retrieve the secret payload | | **Users** | Xloud user IDs to grant the permission | | **Project Access** | Toggle to grant all users in the secret's project read access | ```bash title="Grant read access to a specific user" theme={null} openstack acl submit \ --user \ --operation read \ ``` ```bash title="Grant project-wide read access" theme={null} openstack acl submit \ --project-access \ ``` ```bash title="Grant access to multiple users" theme={null} openstack acl submit \ --user \ --user \ --operation read \ ``` Granting `--project-access` makes the secret readable by all users in the project. Reserve this setting for non-sensitive shared configuration. Use per-user ACLs for credentials, private keys, and certificates. *** ## Revoke Access ```bash title="Revoke all ACL entries on a secret" theme={null} openstack acl delete ``` ```bash title="Update ACL to remove a specific user" theme={null} openstack acl submit \ --user \ --operation read \ ``` `openstack acl submit` replaces the entire ACL. To remove one user, resubmit the ACL with only the users that should retain access. There is no append/remove operation. *** ## Find Your User ID ```bash title="Get the current user's ID" theme={null} openstack token issue -c user_id -f value ``` ```bash title="Look up another user's ID (admin)" theme={null} openstack user show -c id -f value ``` *** ## Next Steps Create secrets before configuring ACL access Apply ACLs at the container level for grouped secret access Resolve 403 errors and ACL propagation issues Configure platform-wide access policies and quotas