User secrets can be set in config without granting permission
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical Juju |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
To use a user secret, the Juju admin must:
1. Create the user secret (`juju add-secret`)
2. Grant the relevant app access to the secret (`juju grant-secret`)
3. Pass the secret ID to the app (`juju config`).
It's easy to forget step 2, and if you do step 2 after step 3 then, since there is no 'secret-granted' event, the admin needs to prod the charm into knowing about the secret again, probably by doing `secret config --reset` and then step 3 again.
It would be less error prone if Juju prevented the admin from doing this.
* `juju config` could refuse to set the value if permissions didn't exist; or
* `juju config` could implicitly (or explicitly with a prompt) grant the permissions
Ideally, there would also be a solution for the reverse case, where the secret is either removed or permissions are revoked by the admin. In both of these situations, the charm has no notification that this has happened, so has to wait until another event comes along to solve it (potentially being broken in the meantime, if the secret no longer works).
For example, `secret-remove` and `secret-revoke` could error (or warn?) if the secret is in an app's config, or could do a `config --reset` for that config option, or a config-changed event could be triggered (it already triggers for cases outside of the charm config anyway). Any of these would end up with the charm getting a config-changed event to let it handle the secret going away.
| Changed in juju: | |
| importance: | Undecided → Wishlist |
| status: | New → Triaged |
| tags: | added: secrets |
