Skip to main content
MysteryBox is a Nebius AI Cloud service for centralized management of secrets. In the secrets, you can securely store sensitive information, such as API keys, passwords or certificates, in an encrypted form. MysteryBox allows you to avoid hardcoding sensitive data, for example, in Terraform manifests or cloud-init scripts. As a result, you eliminate vulnerabilities and maintain compliance with security. A typical workflow is to create a secret in MysteryBox and store sensitive information there. After that, you or a service account uses this secret, for instance, in a script, CI/CD pipeline, runtime application or Terraform manifest.

MysteryBox use cases

MysteryBox supports integration with different Nebius AI Cloud resources. For instance, you can operate with secrets when working with Compute virtual machines (VMs), containers or managed services. Examples:
  • On a Compute VM, you create a script that uses an API key for the application configuration or third-party API access. You save this API key to a MysteryBox secret. A service account associated with the given VM launches the script and retrieves the secret with the API key.
  • You create an access key to authenticate a service account in Object Storage, and you store the secret key in MysteryBox.
  • Managed services of Nebius AI Cloud generate passwords and store them in MysteryBox secrets.

Secrets and versions

A secret is the main MysteryBox resource that stores sensitive data. A secret is located in a project, but user and service accounts can access the secret within the region if the accounts have corresponding permissions. User and service accounts of different regions cannot access the secret. Every secret has multiple versions. A version is a snapshot of stored data. You cannot modify this snapshot once it is created. A secret has a primary version. When you retrieve a secret and do not specify a particular version, MysteryBox provides you with the primary one. By default, this is the latest version unless you explicitly set the primary version. Every version contains the payload of a secret. The payload consists of one or several key-value pairs. When you create a secret, you put data there in the key-value format. A key represents an ID, and a value contains sensitive data that can be in the form of a string or a binary file.