You can create an empty secret and add versions whenever you need them, or you can create a secret together with a version immediately.
Prerequisites
Make sure you are in a group that has at least the editor role within your tenant; for example, the default editors group. You can check this in the Administration → IAM section of the web console.
Creating a secret or a version of a secret does not automatically grant you access to view payloads in that secret or version. The editor role is enough to create a secret or a version, but viewing payloads requires the mysterybox.payload-viewer role, which is a sub-role of admin but not editor.
How to create a secret without a version
You can create a secret without a version by using the CLI only. If you want to use the web console, follow How to create a secret with a version.
Run the following command:nebius mysterybox secret create \
--name "<secret_name>" \
--description "<description>"
name: Name of the secret.description (optional): Secret description.
After the key is created, you can refer to it by its name or ID and create versions of the secret. How to create a secret with a version
-
In the web console, go to
MysteryBox.
-
Click
Create secret.
-
In the window that opens, specify a unique name for the secret. For example,
db-credentials.
-
(Optional) Add a description that explains what the secret is used for. For example, “Credentials for the production database.”
-
In the Key and Value fields, specify a key-value pair that the secret should store. This pair will be the payload of this secret.
In the Value field, select a data type:
- Text: Specify a plain string. Commonly used for passwords, tokens and API keys.
- File: Upload a binary file. Convenient for certificates, private keys and configuration files.
-
(Optional) To store multiple key-value pairs in a single version, click Add pair. Then, specify additional key–value pairs.
-
Click Create secret.
Run the nebius mysterybox secret create command.You can specify one or several key-value pairs in the version payload. Every pair contains a string value or binary data.
-
Strings:
nebius mysterybox secret create \
--name "<secret_name>" \
--description "<description>" \
--secret-version-payload '[
{"key": "<key_name>", "string_value": "<value>"},
{"key": "<key_name>", "string_value": "<value>"},
...
]'
-
Binary files, Ubuntu:
nebius mysterybox secret create \
--name "<secret_name>" \
--description "<description>" \
--secret-version-payload "[
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
...
]"
-
Binary files, macOS:
nebius mysterybox secret create \
--name "<secret_name>" \
--description "<description>" \
--secret-version-payload "[
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
...
]"
-
Both strings and binary files, Ubuntu:
nebius mysterybox secret create \
--name "<secret_name>" \
--description "<description>" \
--secret-version-payload "[
{\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
...
]"
-
Both strings and binary files, macOS:
nebius mysterybox secret create \
--name "<secret_name>" \
--description "<description>" \
--secret-version-payload "[
{\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
...
]"
In the command, specify the following values:
name: Name of the secret.description (optional): Secret description.key: Name of the key.string_value: For each key with a string value, a sensitive secret value.path/to/file: For each key with a binary value, a local path to the file whose contents you want to store as binary data in the secret.
After the key is created, you can refer to it by its name or ID. 