Comment 3 for bug 1716948

I am marking this report as a duplicate since we are now tracking progress on credential UX improvements through bug # 1735402.

Essentially, we have not cleanly disclosed that we have credentials stored in 2 different places.

There are credentials that Juju stores locally on a client machine and only uses for 'bootstrap' and 'add-model' when requested. Local credential storage is managed via these commands:

* 'add-credential' (creates a new credential locally on this client);
* 'add-credential --replace' (updates existing credential stored locally on this client);
* 'set-default-credential' (marks a locally stored credential as default for a specified cloud. This means that a user can run 'bootstrap' with just specifying a cloud and this credential will be picked up.);
* 'remove-credential' (deletes given credential from a local store on this client).

Then there are credentials that are stored on the controller once you bootstrap. These credentials are per user/per cloud; are used by models but are not currently visible. The only thing you, as a user, can do with these credentials is to update their content via 'update-credential' command. However, this command has limitations:

1. it's controller based. You must know what your credential is called and there is no means to find out what it is called on the controller. (There is work being done to fix that for 2.4, see the bug above);

2. it does not check that the new contents work for your model (as per 1);

3. you can only change the content of the credential that a model uses, you cannot replace model credential with another credential.

While we are working on changing the UX to be more friendly, the process on how to update model credential is neatly described in comment # 12 of this bug.