Getting Started with the Secrets Store¶

This guide will walk you through the first steps of interacting with the Secrets Store service. You will learn how to get access, log in using the Web UI and CLI, and perform basic operations to read and write secrets.

This guide focuses on the direct management of secrets. For information on how to consume these secrets in your Kubernetes applications, please see the Secrets Service documentation.

Getting Access¶

Access to the Secrets Store is managed by us. To get started, please contact us to request access.

We will grant your existing company identity (the same one you use to access the Kubernetes API) the necessary permissions and provide you with:

A Dedicated Path: A secure path within the secrets store (e.g., kv/your-team/) where you can manage your secrets.

Option 1: Using the Web UI (Recommended for Beginners)¶

The easiest way to get started is by using the secure web interface. This is a great way to browse, view, and manually edit your secrets.

Navigate to the UI: Open your web browser and go to https://vault.shared.k8s.netic.dk.
Log In: Choose the oidc authentication method. This will redirect you to your company's standard login page to authenticate.

!!! hint "Dedicated Secrets Store" If you are using a dedicated secrets store, you need to replace vault.shared.k8s.netic.dk with the URL of your dedicated secrets store.

Once logged in, you can navigate to the path assigned to you to manage your secrets.

Option 2: Using the OpenBao CLI (For Automation)¶

For scripting and automation, the bao command-line interface is the recommended tool.

Step 1: Install the CLI¶

Download the appropriate binary for your operating system from the official OpenBao releases page. Make sure the downloaded bao binary is in your system's PATH.

Step 2: Configure the CLI¶

You need to tell the CLI which server to connect to. You do this by setting the VAULT_ADDR environment variable. It is recommended to add this to your shell's profile file (e.g., ~/.bash_profile or ~/.zshrc).

export VAULT_ADDR="https://vault.shared.k8s.netic.dk"

Dedicated Secrets Store

If you are using a dedicated secrets store, you need to replace vault.shared.k8s.netic.dk with the URL of your dedicated secrets store.

Step 3: Log In¶

Once the address is configured, you can log in using your OIDC identity.

bao login -method=oidc

This command will print a URL to your console. Copy and paste this URL into your web browser. After you authenticate, the CLI will automatically receive a token and complete the login process.

If successful, the CLI will store this token on your local machine, which will be used for all subsequent commands.

Step 4: Read and Write Secrets¶

All secrets are managed under the kv (Key/Value) secrets engine. You will use the bao kv subcommand to interact with them.

To write a secret:

Let's say your team path is kv/my-team/ and you want to store database credentials for a billing-app.

# The path is the first argument after 'put'
# Key-value pairs are provided after the path
bao kv put kv/my-team/billing-app db_user="billing" db_pass="S3cr3tP@ssw0rd!"

To read a secret:
```
bao kv get kv/my-team/billing-app
```
To get just the value of a single field (useful for scripting):
```
bao kv get -field=db_pass kv/my-team/billing-app
```

Next Steps: Using Secrets in Your Application¶

You now know how to manage secrets directly in the Secrets Store. The next, most important step is to make them available to your applications running in Kubernetes.

The recommended and most secure way to do this is by using the Secrets Service, which automatically synchronizes secrets from this store into native Kubernetes Secret objects.

Learn how to sync secrets to your namespace in the Secrets Service getting started guide