Each secret can have multiple versions. Versions are useful when you need to change credentials or update a secret payload without modifying existing references, such as configurations, scripts or services that point to the specific secret.
For more information, see About MysteryBox.
Prerequisites
Make sure you are in a group that has at least the editor role within your tenant or project; for example, the default editors group. You can check this in the Administration → IAM section of the web console.
Creating a secret or a version of a secret does not automatically grant you access to view payloads in that secret or version. The editor role is enough to create a secret or a version, but viewing payloads requires the mysterybox.payload-viewer role, which is a sub-role of admin but not editor.
How to create a version
-
In the web console, go to
Cryptography → MysteryBox.
-
Locate the required secret and then click
→ Create version.
-
(Optional) On the page that opens, add a version description. For example, “New database password.”
-
Update Key and Value. These fields display the key-value pair created in the original version. You can reuse an existing key and value, or you can update them.
If you update Value, select a data type for it:
- Text: Specify a plain string. Commonly used for passwords, tokens and API keys.
- File: Upload a binary file. Convenient for certificates, private keys and configuration files.
-
(Optional) To store multiple key-value pairs in a single version, click
Add pair. Then, specify additional key-value pairs.
-
If you want this version to become primary (it will be returned by default when the secret is referenced), keep the Make this version primary option enabled.
-
Click Create version.
-
List all secrets:
nebius mysterybox secret list
In the output, copy the ID of the required secret.
-
Create a new version for the secret.
-
Ubuntu:
nebius mysterybox secret-version create \
--parent-id <secret_ID> \
--description "<description>" \
--payload "[
{\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
...
]"
-
macOS:
nebius mysterybox secret-version create \
--parent-id <secret_ID> \
--description "<description>" \
--payload "[
{\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
{\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
...
]"
In the command, specify the following parameters:
parent-id: ID that you copied earlier.
description (optional): Version description.
key: Name of the key.
string_value: For each key with a string value, a sensitive secret value.
path/to/file: For each key with a binary value, a local path to the file whose contents you want to store as binary data in the secret.
You can make a new version primary if you want to get its payload by default. When you create a version by using the CLI, it does not become primary automatically.
After the version is created, you can pin requests to it.