> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to create secrets in MysteryBox

You can create an empty [secret](../overview#secrets-and-versions) and add versions whenever you need them, or you can create a secret together with a version immediately.

## Prerequisites

Make sure you are in a [group](/iam/authorization/groups/index) that has at least the `editor` role within your tenant; for example, the default `editors` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console.

<Warning>
  Creating a secret or a version of a secret does not automatically grant you access to view payloads in that secret or version. The `editor` role is enough to create a secret or a version, but viewing payloads requires the `mysterybox.payload-viewer` role, which is a sub-role of `admin` but not `editor`.
</Warning>

## How to create a secret without a version

You can create a secret without a version by using the CLI only. If you want to use the web console, follow [How to create a secret with a version](#how-to-create-a-secret-with-a-version).

<Tabs>
  <Tab title="CLI">
    Run the following command:

    ```bash theme={null}
    nebius mysterybox secret create \
      --name "<secret_name>" \
      --description "<description>"
    ```

    In the command, specify the following values:

    * `name`: Name of the secret.
    * `description` (optional): Secret description.

    After the key is created, you can refer to it by its name or ID and [create versions](./create-version) of the secret.
  </Tab>
</Tabs>

## How to create a secret with a version

<Tabs>
  <Tab title="Web console">
    1. In the [web console](https://console.nebius.com), go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/mysterybox.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=428f0f38232b7eea96e9d8d993c78cd4" width="16" height="16" data-path="_assets/sidebar/mysterybox.svg" /> **MysteryBox**.

    2. Click <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/plus.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=7c9efc69d65fc58db0eb73702fd81aa1" width="16" height="16" data-path="_assets/plus.svg" /> **Create secret**.

    3. In the window that opens, specify a unique name for the secret. For example, `db-credentials`.

    4. (Optional) Add a description that explains what the secret is used for. For example, "Credentials for the production database."

    5. In the **Key** and **Value** fields, specify a key-value pair that the secret should store. This pair will be the [payload](../overview#secrets-and-versions) of this secret.

       In the **Value** field, select a data type:

       * **Text**: Specify a plain string. Commonly used for passwords, tokens and API keys.
       * **File**: Upload a binary file. Convenient for certificates, private keys and configuration files.

    6. (Optional) To store multiple key-value pairs in a single version, click <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/plus.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=7c9efc69d65fc58db0eb73702fd81aa1" width="16" height="16" data-path="_assets/plus.svg" /> **Add pair**. Then, specify additional key–value pairs.

    7. Click **Create secret**.
  </Tab>

  <Tab title="CLI">
    Run the `nebius mysterybox secret create` command.

    You can specify one or several key-value pairs in the version payload. Every pair contains a string value or binary data.

    * Strings:

      ```bash theme={null}
      nebius mysterybox secret create \
        --name "<secret_name>" \
        --description "<description>" \
        --secret-version-payload '[
          {"key": "<key_name>", "string_value": "<value>"},
          {"key": "<key_name>", "string_value": "<value>"},
          ...
        ]'
      ```

    * Binary files, Ubuntu:

      ```bash theme={null}
      nebius mysterybox secret create \
        --name "<secret_name>" \
        --description "<description>" \
        --secret-version-payload "[
          {\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
          {\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
          ...
        ]"
      ```

    * Binary files, macOS:

      ```bash theme={null}
      nebius mysterybox secret create \
        --name "<secret_name>" \
        --description "<description>" \
        --secret-version-payload "[
          {\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
          {\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
          ...
        ]"
      ```

    * Both strings and binary files, Ubuntu:

      ```bash theme={null}
      nebius mysterybox secret create \
        --name "<secret_name>" \
        --description "<description>" \
        --secret-version-payload "[
          {\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
          {\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -w 0 <path/to/file>)\"},
          ...
        ]"
      ```

    * Both strings and binary files, macOS:

      ```bash theme={null}
      nebius mysterybox secret create \
        --name "<secret_name>" \
        --description "<description>" \
        --secret-version-payload "[
          {\"key\": \"<key_name>\", \"string_value\": \"<value>\"},
          {\"key\": \"<key_name>\", \"binary_value\": \"$(base64 -i <path/to/file>)\"},
          ...
        ]"
      ```

    In the command, specify the following values:

    * `name`: Name of the secret.
    * `description` (optional): Secret description.
    * `key`: Name of the key.
    * `string_value`: For each key with a string value, a sensitive secret value.
    * `path/to/file`: For each key with a binary value, a local path to the file whose contents you want to store as binary data in the secret.

    After the key is created, you can refer to it by its name or ID.
  </Tab>
</Tabs>