> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret

> Encrypted secret storage with 12 types: AWS, Azure SDK, Azure Connector, Docker, ECR, GCP, Dictionary, Keypair, Opaque, NATS Account, TLS, and Username & Password.

## Overview

Secrets are used to store strongly-encrypted information. All secrets can be injected into containers through the use of [environment variables](/reference/workload#environment-variables).

In addition to optionally being injected into containers as [environment variables](/reference/workload#environment-variables), secrets are also used for:

1. Image registry ([Docker](#docker), [ECR](#ecr), and [GCP](#google-cloud-platform-gcp)) pull secrets, enabling workloads in a [GVC](/reference/gvc) to pull images from private repositories.
2. Enabling Control Plane to manage policies in Azure, using the [Azure SDK](#azure-sdk) and [Azure Connector](#azure-connector) secret type.

<Note>
  A [workload identity](/reference/identity) **MUST** be granted the [reveal permission](#reveal-permission) on a secret to have its value injected at runtime. If a workload has no identity assigned, it cannot access any secrets at runtime. An identity must be created, assigned to the workload, and granted the `reveal` permission on the target secret via a [policy](/reference/policy).
</Note>

## Create a Secret

For step-by-step instructions on creating secrets, see the [Create a Secret](/guides/create-secret/overview) guide.

## Secret Types

* [Amazon Web Services (AWS)](#amazon-web-services-aws)
* [Azure SDK](#azure-sdk)
* [Azure Connector](#azure-connector)
* [Docker](#docker)
* [Dictionary](#dictionary)
* [ECR](#ecr)
* [Google Cloud Platform (GCP)](#google-cloud-platform-gcp)
* [Keypair](#keypair)
* [Opaque](#opaque)
* [NATS Account](#nats-account)
* [TLS](#tls)
* [Username & Password](#username-and-password)

### Amazon Web Services (AWS)

The AWS secret type enables a [workload](/concepts/workload) to consume services from AWS. It is used in cases where an [identity](/reference/identity) isn't used.

For example, when an Org does not wish to create a [cloud account](/reference/cloudaccount), or to create cloud access policy as part of an [identity](/reference/identity) definition.

The recommended approach to consuming services from AWS is not to use a AWS secret, but rather to:

1. Create a [cloud account](/reference/cloudaccount).
2. Create an [identity](/reference/identity).
3. Defining a cloud access policy for the AWS account as part of the identity.

In cases where an Org wishes to not leverage the [identity](/reference/identity) feature, in order to use an AWS secret, simply read the secret from the environment variable and convey its set of values to AWS using any AWS API you wish.

The AWS secret schema consists of:

* Secret Key
* Access Key
* Role ARN (Optional)
* External ID (Optional)

For an existing AWS user, these values are obtained from the [AWS IAM Dashboard](https://console.aws.amazon.com/iam/home).

Refer to [these instruction](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) to create a new AWS IAM user in your AWS account.

### Azure SDK

* Used to store [Azure SDK](/reference/cloudaccount#azure-sdk) credentials.

* When creating a [Cloud Account using the Azure SDK](/reference/cloudaccount#azure-sdk), a JSON file is generated containing the credentials. This file is uploaded and automatically stored as an Azure-SDK secret.

* Sample Azure-SDK secret content:

  ```json JSON theme={null}
  {
    "subscriptionId": "2cd2674e-4f89-4a1f-b420-7a1361b46ef7",
    "tenantId": "292f5674-78b0-488b-9ff8-6d30d77f38d9",
    "clientId": "649746ce-d862-49d5-a5eb-7d5aad90f54e",
    "clientSecret": "CONFIDENTIAL"
  }
  ```

* If the client secret has been compromised or needs to be updated, the content of the secret can be updated using the console or CLI and will be used by the associated Cloud Accounts.

### Azure Connector

* Used to store [Azure Function App](/reference/cloudaccount#azure-connector) credentials.
* When creating a [Cloud Account using the Azure Connector](/reference/cloudaccount#azure-connector), the `deployment URL` and `code` will be saved.
* These values can be updated using the console or the [CLI](/cli-reference/commands/secret#secret-update).

### Docker

The Docker secret type is used when a [container](/reference/workload/containers) pulls an [image](/reference/workload#images) from a private Docker compatible repository, such as a Org's private repository at Control Plane, [Docker Hub](https://hub.docker.com/), [Azure Container Registry](https://docs.microsoft.com/en-us/azure/container-registry/) or [Google Artifact Registry](https://cloud.google.com/artifact-registry/docs).

An authorized user then assigns a secret of this type to a [GVC Pull Secret](/reference/gvc#pull-secrets).

[Workloads](/concepts/workload) in the [GVC](/reference/gvc) can then pull their image using the secret.

The contents of a Docker secret follows this syntax:

```json JSON theme={null}
{
  "auths": {
    "REPOSITORY_URL": {
      "username": "USERNAME",
      "password": "PASSWORD"
    }
  }
}
```

#### Control Plane

To create a Docker secret targeting a private repository hosted at Control Plane, a [Service Account](/reference/serviceaccount) at the source Org, bound with the [pull permission](/reference/image#pull) is required.

Example:

```json JSON theme={null}
{
  "auths": {
    "ORG_NAME.registry.cpln.io": {
      "username": "<token>",
      "password": "SERVICE_ACCOUNT_KEY"
    }
  }
}
```

<Note>
  The `username` is the literal string `<token>`.
</Note>

#### Docker Hub

To create a Docker secret targeting Docker Hub, a Docker username and password (which has permissions to pull the images) are required.

There are two ways to create the secret content:

1. `Username & Password` Keys

   Example:

   ```json JSON theme={null}
   {
     "auths": {
       "https://index.docker.io/v1/": {
         "username": "USERNAME",
         "password": "PASSWORD"
       }
     }
   }
   ```

2. `auth` Key

   * When using a password, the value of the `auth` key is the base64 encoded result of the string `USERNAME:PASSWORD`.

   Example:

   ```json JSON theme={null}
   {
     "auths": {
       "https://index.docker.io/v1/": {
         "auth": "BASE_64_ENCODING(USERNAME:PASSWORD)"
       }
     }
   }
   ```

   * When using a [Docker Access Token](https://docs.docker.com/docker-hub/access-tokens/), the value of the `auth` key is the base64 encoded result of the string `USERNAME:DOCKER_ACCESS_TOKEN`.

   Example:

   ```json JSON theme={null}
   {
     "auths": {
       "https://index.docker.io/v1/": {
         "auth": "BASE_64_ENCODING(USERNAME:DOCKER_ACCESS_TOKEN)"
       }
     }
   }
   ```

<Tip>
  When performing the base64 encoding, remember to include the colon ( : ) when concatenating the username and password/token.

  The `base64` utility can be used to easily encode the string.

  Example: `echo -n USERNAME:PASSWORD | base64`
</Tip>

#### Azure Container Registry

To create a Docker secret targeting the [Azure Container Registry](https://docs.microsoft.com/en-us/azure/container-registry/), the following properties are required:

* Repository URL
* Service Principal ID
* Password

An `Azure Service Principal` is recommended as the identity used to pull images.

Refer to this [article](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal) to create an Azure Service Principal that only has the pull permission.

* The format of the repository URI is: `REGISTRY_NAME.azurecr.io` and can be obtained from the `Azure Container Registry` section of the [Azure Portal](https://portal.azure.com/).
* The USERNAME is the ID GUID of the Service Principal (e.g., ed0a30b4-5cd0-44af-864a-cf825b0ceeb6).
* The PASSWORD is generated when creating the Service Principal. **By default, the password expires after 1 year.**

<Tip>
  To increase the expiration length of the password, use the `--years` flag when running the `az ad sp create-for-rbac` command during the creation of a Service Principal.
</Tip>

Example:

```json JSON theme={null}
{
  "auths": {
    "REGISTRY_NAME.azurecr.io": {
      "username": "APP_ID",
      "password": "PASSWORD"
    }
  }
}
```

#### Google Artifact Registry

To create a Docker secret targeting [Google Artifact Registry](https://cloud.google.com/artifact-registry/docs), the following property is required:

* Base64-encoded service account JSON key

A Docker secret using a base64-encoded service account JSON key is recommended, alternatively a GCP secret containing the service account JSON is still supported but deprecated and should be avoided.

* The format of the repository URI is: `LOCATION-docker.pkg.dev` where `LOCATION` is the repository’s region chosen at creation.
* The **USERNAME** must be `_json_key_base64`.
* The **PASSWORD** is the base64-encoded service account JSON key.

Example:

```json JSON theme={null}
{
  "auths": {
    "LOCATION-docker.pkg.dev": {
      "username": "_json_key_base64",
      "password": "BASE64_ENCODED_SERVICE_ACCOUNT_JSON"
    }
  }
}
```

#### GitHub Container Registry

To create a Docker secret targeting GitHub, a GitHub [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) (which has the `read:packages` scope) is required.

Example:

```json JSON theme={null}
{
  "auths": {
    "ghcr.io": {
      "username": "controlplane",
      "password": "PERSONAL_ACCESS_TOKEN"
    }
  }
}
```

### Dictionary

* Used to securely store key/value pairs that can be used by a [workload's environment variables](/reference/workload#environment-variables).
* Multiple key/value pairs can be added to a single dictionary secret.

### ECR

The Elastic Container Registry (ECR) secret type is used when a [workload](/concepts/workload) pulls a container image from a private AWS ECR repository.

This secret type is used when configuring a [GVC's Pull Secret](/reference/gvc#pull-secrets). [Workloads](/concepts/workload) that are connected to that [GVC](/reference/gvc) will have access to the secret when pulling the image.

The ECR secret consists of:

* AWS Secret Key
* AWS Access Key
* AWS Role ARN (Optional; This role will be assumed after authentication with the IAM user’s programmatic access)
* ECR Repository URIs (e.g., AWS\_ACCOUNT\_ID.dkr.ecr.REGION.amazonaws.com/REPO\_NAME)
* External ID (Optional)

<Tip>Multiple repositories can be added to the same ECR secret.</Tip>

To obtain the keys required to create an ECR secret from the [AWS IAM Dashboard](https://console.aws.amazon.com/iam/home):

1. Add a new IAM User with programmatic access.
2. Create an Access Token for the new user and take note/download the secret and access key.
3. Create a new IAM Policy for the `Elastic Container Registry` service with the `Read` action on the specific repositories.
4. Attach the new IAM Policy to the new IAM User.
5. Optionally, impersonate the IAM user with its credentials and try to pull an image locally as described [here.](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)
6. Create the ECR secret using either the [UI Console](https://console.cpln.io) or [CLI](/cli-reference/commands/secret#secret-create-ecr).

#### Amazon ECR Helper Links

* [ECR Dashboard](https://us-west-2.console.aws.amazon.com/ecr/repositories)
* [Private registry concepts](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html)

### Google Cloud Platform (GCP)

* Similar to a [Docker](#docker) and [ECR](#ecr) secret, a GCP secret is used when a [workload](/concepts/workload) pulls a container image from a private `Google Container Registry` (deprecated). For new deployments, use [`Google Artifact Registry`](#google-artifact-registry).
* This secret type is used when configuring a [GVC Pull Secret](/reference/gvc#pull-secrets). [Workloads](/concepts/workload) that are connected to that [GVC](/reference/gvc) will have access to the secret when pulling the image.
* Using the UI, the secret JSON text can be in a file that is uploaded or pasted into the textbox.
* Below is a sample of a GCP secret. The values can be obtained from your GCP account.

```json JSON theme={null}
{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "PRIVATE_KEY_ID",
  "private_key": "PRIVATE_KEY_CERTIFICATE",
  "client_email": "CLIENT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "X509_CERTIFICATE_URL"
}
```

### Keypair

* Used to securely store a keypair that can be used by a [workload's environment variables](/reference/workload#environment-variables).
* A keypair secret consists of:
  * Secret key
  * Public key
  * Passphrase (required if the secret key is encrypted)
* Using the UI, the secret and public key text can be in a file that is uploaded or pasted into the textbox.
* The keys will be validated and the secret will only be created or updated if they are valid PEM-encoded certificates.

<Accordion title="Sample Key Pair">
  **Sample secret key:**

  ```text theme={null}
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,9A26BB15304B18E7

  ZdBgMExsvIJEsIFDMQ02xh4nDnhXEGUNu7LiWIZjn9WS6QB2jApyOFOBWmp0lK6L
  dIJ+Mb8wMeHtkiKS6ZbYeea8M29kwEejZRnKl1Wq0EFycdwbONtbcbjzF+tQGEBT
  gQQgkY7wjDWl8HwjFEA+NUuitzi6uI2xWlQpFdUrmqJAZCbxNFa0aM8nW6jnitvP
  616ps3HjLnWCjoyqS4hWxiWmt+VE3KruPnUVVV7bWlzc6jnoZcSaeqeaoQrNKguH
  te2iBIMdY/uldb7Ik2Kxr2+kBRmV4YNkp1EelNi/m39VcoUHJLk1jLldzuINhbi2
  IRqYZe4EEMSYdb3TkSosXa64Sz7jMBz5AxlA0n78FKlB9G5FAxaXcVYNQIlvzCbw
  uXPbQd/UYKUuEI1Yn8OmGBN5xcOdgWz8hfyxA2Hq1tmo1XN6snavGe7TKbZd70N+
  1yFbclB2T1z8fPcLwUZUxOl4g2DoMMHIzCSPaIe/otT8389k4H6hEulLis4lW0p3
  qopL5kdpxmSGgXsX6q6CUFb/0cw9HskNT3zbzKLx2MzjFCo93IB07UxPwkCD2kb1
  sLKMcpTC8a0vLaTVNYgDX7wW/YjBrCokaqk0z1whuN6iSReOtvmu5ybrq1Ksg8UQ
  yvCSScM/+muKi+gbEOskQs4Ph3ZLHqAX3/XYoyBcFnPNxVHTIa5Dcju6h5gl1/uY
  6tkRsHDr0Lzy8pd6jjf/ApPf9ypCuxKUO1q8PzPg2E4bmEFxc8zOB2NLvfPgFrUR
  0Sbkapv/6x6nNRw75cu69c5we/atip6wst8J1MSU0fTqb6bZ3TF2pDyNEOkdkvoZ
  YZ0r3hUytdT0pImoDLKoyy17mtHLLApzHyIgmR3cqtSt07ncmC5lyEBcZBrQXMa8
  aZeOr8iUWQE/q+4BvoxeKsOD6ttKuFnrgl0rmMnYQsSyLJOPizrU4L1d1HMIKswm
  iW+Rg7xlWmQg95m8XEWTjAb3tuNz/tGXC7Qa88HvC7YfyG69yM61oPsT83YnxcBT
  C/X67lSFTYguFa3HgDZpjGq7Hc/Q7nhaoqNMEs01O6jbcmrue8IIa2FH1tTwPN0W
  D7JefjCQjEghue2mjc0fovOGe9A9jvWf+gJHF3vRtFa67uQiQxge9zUzpHyVNpOj
  Ve0y0HvibNTd6TSCArctJpIcwpjO3MTT5LBJ1p/8v4b4+knEKD2c69jumNbKGbWr
  Wjq39M/MGNUO5SbZMO3gFCt6fgtXkOktH9pJ9iOQpYKgl7QTe2qQygfWkIm0EZRN
  6EaQdNNKgENWicpKyKQ4BxoY1LYAHFHJ95VisLf3KmmOF5MwajADZQT/yth3gvht
  xx21b9iudcgq/CRccSvfIPIWZKi6oaqNIXK+E3DQd40TUopLsBWzacTZn9maSZtW
  RyAY1TkRn1qDR2soyhBcihrX5PZ83jnOlM3XTdfF1784g8zB9ooDnK7mUKueH1W3
  hWFADMUF7uaBbo5EZ9sE+dFPzWPJLhu2j67a1iHmByqEvFY64lzq7VwwU/GE8JdA
  85oEkhg1ZEPJp3OYTQfPI/CC/2fc93Exf6wmaXuss8AHehuGcKQniOZmFOKOBprv
  -----END RSA PRIVATE KEY-----
  ```

  **Sample public key:**

  ```text theme={null}
  -----BEGIN PUBLIC KEY-----
  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrVyExI0uvRmwCAKFHiv
  baAcPMcKJDa6f6TtaVo2p8jyfEhVwDTmR3FUrDDZAjh0Q8G/Up8Ob3+IJafNymCO
  BhUKou+8ie7guqsbU9JrT0Zos1k/pd0aVfnAR0EpW3es/7fdkWUszU0uweeEj22m
  XMlLplnqqoYOGAhuNMqGsZwBr36Bxq9EeB2O79QsAFDNkPVg7xIaYKn32j69o0Zr
  ryYI8xqOYYy5Dw6CX+++YYLYiR/PkLYJTVAsxXeqyltCfb3Iv7vN5HrfoYBhndr3
  NxBPkcIJZeh3Z+QzfJ5U+bB5fP/aOsEk5bPbtLzylj2KnOOM/ZxXJtOcu0xtJLd3
  XwIDAQAB
  -----END PUBLIC KEY-----
  ```

  **Passphrase:**

  ```text theme={null}
  cpln
  ```
</Accordion>

### Opaque

Opaque secrets are used to securely store any text.

When creating or updating an opaque secret, an option is available to perform a base64 decode at runtime.

To access the stored text, an [environment variables'](/reference/workload#environment-variables) value must be set to one of the following:

1. `cpln://secret/SECRET_NAME.payload`

   * If the option to perform a base64 decode at runtime is enabled, the decoded value will be returned.

2. `cpln://secret/SECRET_NAME` (without the .payload)

   * If the option to perform a base64 decode at runtime is enabled, the `encoding` property will be set to `base64`. It is the responsibility of the user to perform the base64 decode.

   Example values returned:

   `base64: "{\"payload\":\"VGhpcyBpcyBhbiBvcGFxdWUgaW4gYmFzZTY0\",\"encoding\":\"base64\"}"`

   `plain text: "{\"payload\":\"This is an opaque secret in plain text\",\"encoding\":\"plain\"}"`

### NATS Account

* Used to store NATS Account credentials.
* A NATS Account secret consists of:
  * Account ID
  * Private Key
* These properties will be validated and the secret will only be created or updated if they are valid.

### TLS

* Used to securely store a Transport Layer Security (TLS) secret that can be used by a [workload's environment variables](/reference/workload#environment-variables).
* A TLS secret consists of a:
  * Key
  * Certificate
  * Chain Certificate (optional if the certificate is self-signed or not part of the installed root certificates)
* Using the UI, the secret can be in a file that is uploaded or pasted into the textbox.
* The certificates will be validated and the secret will only be created or updated if they are valid PEM-encoded certificates

<Accordion title="Sample TLS">
  **Sample key:**

  ```text theme={null}
  -----BEGIN PRIVATE KEY-----
  MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzN2jRf9ouoF4
  XG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvN
  rsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWn
  pvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88IN
  bBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBi
  L2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/l
  jq0e1j69AgMBAAECggEAPGhrPZV4A2D/MlE9AhLMRYh7wd4w4tHiEWUOG0kank/g
  Zhc0iK5WQmbq31y34GXHhInsThpCs5AIYFh3HSXwjS2udsKRQKxmDjH4nzldp2uX
  3w9Aoiy29GP4wZoCyRBGUZxfH1cQhOazXgrBm6vbPZRldD4nMer0R+BIamWEsIYD
  YjDj1pT0noLUSeqoLmGxSQ4DNIBQVZB/T8ziMcEzl6bhprT0QrapJSyD2CtA8tH1
  Z8cyhmyE0CUvSkV4K2ecvVukWBJvrAYc6euPAnkS5LJrQotI5+3jJO2QawOlL6Uw
  rFWBpgBrCgbzquMRpDCQ/J9/GDYaZjim4YdonboBgQKBgQD7jx3CVnG4LDz198am
  spmPwKCW1ke6PhlG7zf3YR00xg9vPBYiy4obb1Jg6em1wr+iZ0dEt8fimeZXewBf
  LzlrR8T1Or0eLzfbn+GlLIKGKhn2pKB/i1iolkfIonchqXRk9WNx+PzjgUqiYWRC
  /1tH2BsODlVrzKL2lnbWKNIFdQKBgQDFOLedpMeYemLhrsU1TXGt1xTxAbWvOCyt
  vig/huyz4SQENXyu3ImPzxIxpTHxKhUaXo/qFXn0jhqnf0LfWI4nbQUbkivb5BPr
  KY9aj7XwwsY4MXW5C12Qi0lIwHOWCmfzvyS7TCMqnQb7sT4Mjmm4ydEbiI1TjlFJ
  D/RFxzcDKQKBgQCehPcJyZNrrWTU0sh5rz4ZWhdYNbuJXyxqiMBJwQa4hL6hJ8oD
  LyPeWe4daAmAIjLEUjSU1wK8hqKiKb54PLgAJH+20MbvyG14lm2Iul2d0dX+mIsT
  FGpQAjNF+Sr9KV1RaVi7L12ct5KidKDLn0KUKVgTKXEmtxNSNEq6dYqzKQKBgDI8
  zljzvnwSwNloIYgAYDK+FPGHU/Z8QrVHOQ1lmyn+8aO41DfeqZPeVW4b/GrII3QC
  HnqsWdJ32EZOXoRyFFPqq2BojY+Hu6MthPy2msvncYKi5q/qOz00nchQbaEMqYon
  aH3lWRfjxAGdFocwR7HwhrmSwR1FpWMNE1Yq9tJxAoGBANc0nZSy5ZlTiMWdRrTt
  gFc9N/jz8OL6qLrJtX2Axyv7Vv8H/gbDg4olLR+Io38M0S1WwEHsaIJLIvJ6msjl
  /LlseAW6oiO6jzhWEr0VQSLkuJn45hG/uy7t19SDuNR7W5NuEr0YbWd6fZEpR7RR
  S1hFKnRRcrVqA+HjWnZ//BGi
  -----END PRIVATE KEY-----

  ```

  **Sample certificate:**

  ```text theme={null}
  -----BEGIN CERTIFICATE-----
  MIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL
  BQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH
  DAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx
  EDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p
  bzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV
  UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL
  BgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv
  MR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB
  AQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0
  RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9
  yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk
  PsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr
  aetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY
  /BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud
  DgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9
  Ly8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr
  sDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4
  ChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD
  wAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M
  5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ
  YxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD
  u2ZCis/EwXsqRJPkIPnL
  -----END CERTIFICATE-----
  ```

  **Sample chain certificate:**

  ```text theme={null}
  None. The above key and certificate were self-signed.
  ```
</Accordion>

### Username & Password

* Used to securely store a username and password secret that can be used by a [workload's environment variables](/reference/workload#environment-variables).
* The secret consists of:
  * Username
  * Password
  * Encoding (Base64 / Plain Text)
* The secret will only be created or updated if the username and password are valid strings.

## Permissions

The permissions below are used to define [policies](/reference/policy) together with one or more of the four [principal types](/concepts/access-control):

| Permission | Description                                                         | Implies                                         |
| :--------- | :------------------------------------------------------------------ | :---------------------------------------------- |
| create     | Create new secrets                                                  |                                                 |
| delete     | Delete secrets                                                      |                                                 |
| edit       | Modify existing secrets                                             | view, reveal                                    |
| manage     | Full access                                                         | create, delete, edit, manage, reveal, use, view |
| reveal     | Reveal the plaintext of the secret                                  | view                                            |
| use        | Refer to this secret from other entities (gvcs, cloudaccounts, etc) | view                                            |
| view       | Read-only access excluding plaintext                                |                                                 |

## Reveal Permission

The plaintext of a secret can be viewed only if you or an [identity](/reference/identity) has the `reveal` permission.

For example, when using a secret as the value of an [environment variable](/reference/workload#environment-variables) for a container, the [identity](/reference/identity) assigned to the [workload](/concepts/workload) must have the `reveal` permission set on the assigned secret using a [policy](/reference/policy).

When configuring the [environment variable](/reference/workload#environment-variables), the value of the variable will be in the following format: `cpln://secret/SECRET_NAME`. The image running within the container will be able to access the plaintext of the secret by referring to the name of the configured [environment variable](/reference/workload#environment-variables).

## Use Permission

A secret is used with a:

* GVC's [pull secret](/reference/gvc#pull-secrets)
* Container's [environment variables](/reference/workload#environment-variables)
* Policy's [binding](/concepts/access-control#bindings)

To allow a non-administrator user the ability to use a secret with one of the above objects, the user must be granted the `use` permission.

For example, if the image assigned to a container belongs to a private Docker registry, a pull secret for that registry must be added to the associated GVC. The user that is configuring this application must have the `use` permission set on the secret (using a [policy](/reference/policy)) to be able to add it as a pull secret.

## Updating Secrets

If a secret value is updated, any workload referencing that secret will need to be redeployed.

## Access Report

Displays the permissions granted to principals for the secret.

## CLI

To view the CLI documentation for secrets, see the [Secret CLI reference](/cli-reference/commands/secret).