Skip to main content

Overview

Secrets are the fundamental resource in Xloud Key Manager. Each secret stores an encrypted payload with type metadata. Secrets are referenced by UUID and are never returned in plain text outside of an explicit retrieve operation.
Prerequisites
  • An active Xloud account with appropriate permissions
  • Access to the Xloud Dashboard (https://connect.<your-domain>) or CLI configured with credentials
  • API credentials sourced (source admin-openrc.sh)

Secret Types

TypeUse CaseContent Type
symmetricAES encryption keys (AES-128, AES-256)application/octet-stream
publicRSA or EC public keysapplication/pkix-cert
privateRSA or EC private keysapplication/pkcs8
passphrasePasswords and API tokenstext/plain
certificateX.509 certificatesapplication/pkix-cert
opaqueArbitrary binary or text dataAny

Create a Secret

1

Navigate to Key Manager

Log in to the Xloud Dashboard (https://connect.<your-domain>) and navigate to Project → Key Manager → Secrets.Click Create Secret.
2

Configure secret details

FieldDescription
NameHuman-readable identifier for the secret
Secret TypeSelect the type appropriate for your payload
PayloadThe secret value — entered in the text area
Content TypeMIME type of the payload
ExpirationOptional ISO 8601 timestamp after which the secret expires
The secret payload is displayed only at creation time. After the dialog closes, the payload cannot be retrieved through the Dashboard — use the CLI or API.
3

Save the secret

Click Create Secret. The secret appears in the list with its UUID.
Secret appears in the Secrets list with status Active.

Retrieve a Secret

List secrets
openstack secret list
Show secret metadata (no payload)
openstack secret show <secret-href>
Retrieve secret payload
openstack secret get <secret-href> --payload
Treat retrieved payloads with the same care as any plaintext credential. Do not log, store in environment variables without restriction, or pipe to commands that might expose the value in process listings.

Update and Delete Secrets

openstack secret update <secret-href> --name new-name
Deleting a secret is permanent. If the secret is referenced by containers, Load Balancer listeners, or other services, those references will break immediately. Update all references before deleting.

Set Secret Expiration

Secrets can have an expiration date after which they are automatically deleted:
Create a secret with expiration
openstack secret store \
  --name temp-api-key \
  --secret-type passphrase \
  --payload "temp-token-value" \
  --payload-content-type "text/plain" \
  --expiration "2025-12-31T23:59:59"
Set expiration dates on all temporary credentials and short-lived API tokens. Calendar reminders or external tracking are required — Key Manager does not send expiration alerts.

Next Steps

Containers

Bundle secrets into named containers for TLS and key pair management

Certificates

Store and order TLS certificates using Key Manager

ACL

Control who can access your secrets

Troubleshooting

Resolve 403 errors, payload retrieval failures, and expired secret issues