How to manage secrets in openbao#

Intended audience

staff members

Providing openbao has been configured and your user has the proper admin-openbao keycloak client role.

You can either manage secrets from the openbao ui (behind swh vpn).

Or you can create secrets from your own machine with the bao cli installed.

Prepare#

In an openbao shell session, for example with nix shell nixpkgs#openbao.

# Setup the VAULT_ADDR environment variable to avoid duplicating the
# flag -address in all cli calls.
# https://openbao.org/docs/commands/#vault_addr # export
VAULT_ADDR='https://openbao.internal.admin.swh.network'

Login#

$ bao login -method=oidc
Complete the login via your OIDC provider. Launching browser to:

    https://auth.softwareheritage.org/auth/realms/SoftwareHeritageStaging/protocol/openid-connect/auth?client_id=test-openbao&...

Waiting for OIDC authentication to complete...
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "bao login" again.
Future OpenBao requests will automatically use this token.

Key                  Value
---                  -----
token                redacted
token_accessor       redacted
token_duration       768h
token_renewable      true
token_policies       ["admin" "admin-openbao-policy" "default"]
identity_policies    []
policies             ["admin" "admin-openbao-policy" "default"]
token_meta_role      admin-openbao

# Read an existing secret

Read secrets#

Use bao kv read to read a secret.

$ bao kv get secrets-test-staging-rke2/test
=========== Secret Path ===========
secrets-test-staging-rke2/data/test

======= Metadata =======
Key                Value
---                -----
created_time       2026-04-08T15:24:45.561436387Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
foo    bar

Write secrets#

Use bao kv put to write a secret.

# Create a new secret (allowed by the admin‑openbao policy)
$ bao kv put secrets-test-staging-rke2/test2 bar=foo
========== Secret Path ==========
secrets-test-staging-rke2/data/test2

======= Metadata =======
Key                Value
---                -----
created_time       2026-04-09T07:49:31.845874594Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

# And read it back
$ bao kv get secrets-test-staging-rke2/test2
========== Secret Path ==========
secrets-test-staging-rke2/data/test2

======= Metadata =======
Key                Value
---                -----
created_time       2026-04-09T07:49:31.845874594Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
bar    foo

Notes: secrets-test-staging-rke2 is an actual secret store, adapt accordingly.