Each secret can have multiple versions. Versions are useful when you need to change credentials or update a secret payload without modifying existing references, such as configurations, scripts or services that point to the specific secret.
For more information, see Overview of the MysteryBox service.
Prerequisites
Make sure you are in a group that has at least the editor role within your tenant; for example, the default editors group. You can check this in the Administration → IAM section of the web console.
Creating a secret or a version of a secret does not automatically grant you access to view payloads in that secret or version. The editor role is enough to create a secret or a version, but viewing payloads requires the mysterybox.payload-viewer role, which is a sub-role of admin but not editor.
How to create a version
-
In the web console, go to
Mysterybox.
-
Locate the required secret and then click
→ Create version.
-
(Optional) On the page that opens, add a version description. For example, “New database password.”
-
Update Key and Value. These fields display the key-value pair created in the original version. You can reuse an existing key and value, or you can update them.
If you update Value, select a data type for it:
- Text: Specify a plain string. Commonly used for passwords, tokens and API keys.
- File: Upload a binary file. Convenient for certificates, private keys and configuration files.
-
(Optional) To store multiple key-value pairs in a single version, click
Add pair. Then, specify additional key–value pairs.
-
If you want this version to become primary (it will be returned by default when the secret is referenced), keep the Make this version primary option enabled.
-
Click Create version.
-
List all secrets:
nebius mysterybox secret list
-
Create a new version for the secret.
-
Ubuntu:
nebius mysterybox secret-version create \
--parent-id <secret_ID> \
--description "<description>" \
--payload "[
{\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
...
]"
-
macOS:
nebius mysterybox secret-version create \
--parent-id <secret_ID> \
--description "<description>" \
--payload "[
{\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
...
]"
In the command, specify the following values:
parent-id: ID that you copied earlier.description (optional): Version description.key: Name of the key.string_value: For each key with a string value, a sensitive secret value.path/to/file: For each key with a binary value, a local path to the file whose contents you want to store as binary data in the secret.
You can make a new version primary if you want to get its payload by default. When you create a version by using the CLI, it does not become primary automatically. 