How to create versions of secrets in MysteryBox

Each secret can have multiple versions. Versions are useful when you need to change credentials or update a secret payload without modifying existing references, such as configurations, scripts or services that point to the specific secret. For more information, see Overview of the MysteryBox service.

Prerequisites

Make sure you are in a group that has at least the editor role within your tenant; for example, the default editors group. You can check this in the Administration → IAM section of the web console.

Creating a secret or a version of a secret does not automatically grant you access to view payloads in that secret or version. The editor role is enough to create a secret or a version, but viewing payloads requires the mysterybox.payload-viewer role, which is a sub-role of admin but not editor.

How to create a version

Web console
CLI

In the web console, go to Mysterybox.
Locate the required secret and then click → Create version.
(Optional) On the page that opens, add a version description. For example, “New database password.”
Update Key and Value. These fields display the key-value pair created in the original version. You can reuse an existing key and value, or you can update them. If you update Value, select a data type for it:
- Text: Specify a plain string. Commonly used for passwords, tokens and API keys.
- File: Upload a binary file. Convenient for certificates, private keys and configuration files.
(Optional) To store multiple key-value pairs in a single version, click Add pair. Then, specify additional key–value pairs.
If you want this version to become primary (it will be returned by default when the secret is referenced), keep the Make this version primary option enabled.
Click Create version.

List all secrets:
```
nebius mysterybox secret list
```
In the output, copy the ID of the required secret.

Create a new version for the secret.

Ubuntu:

nebius mysterybox secret-version create \
  --parent-id <secret_ID> \
  --description "<description>" \
  --payload "[
    {\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
    {\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
    ...
  ]"

macOS:

nebius mysterybox secret-version create \
  --parent-id <secret_ID> \
  --description "<description>" \
  --payload "[
    {\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
    {\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
    ...
  ]"

In the command, specify the following values:

parent-id: ID that you copied earlier.
description (optional): Version description.
key: Name of the key.
string_value: For each key with a string value, a sensitive secret value.
path/to/file: For each key with a binary value, a local path to the file whose contents you want to store as binary data in the secret.

You can make a new version primary if you want to get its payload by default. When you create a version by using the CLI, it does not become primary automatically.

After the version is created, you can pin requests to it.

Security

Audit Logs

MysteryBox in Nebius AI Cloud

How to create versions of secrets in MysteryBox

Prerequisites

How to create a version

Security

Audit Logs

MysteryBox in Nebius AI Cloud

Documentation Index

​Prerequisites

​How to create a version

Prerequisites

How to create a version