Migrating secret containers¶
Barbican resources cannot be retrieved by other projects unless explicitly allowed through ACLs.
openstack-migrate currently expects to identify resources solely based on
their IDs, for which reason cross-project secret migration is not supported.
To migrate these resources, consider using a separate openstack-migrate config
and database for each individual tenant. The admin user user can be temporarily
added as a member of the migrated projects.
Example¶
This example creates and migrates a secret container along with the referenced secrets.
cert_ref=`openstack secret store \
--name root-ca-cert \
-s certificate \
--file ~/ca/rootca.crt \
| grep "Secret href" \
| awk '{print $5}'`
key_ref=`openstack secret store \
--name root-ca-key \
-s private \
--file ~/ca/rootca.key \
| grep "Secret href" \
| awk '{print $5}'`
openstack secret container create \
--name root-ca \
--type certificate \
--secret "certificate=$cert_ref" \
--secret "private_key=$key_ref"
We’ll use a batch migration, covering all secret containers owned by the current project.
openstack-migrate start-batch \
--resource-type=secret-container \
--all \
--include-dependencies
2025-11-17 15:41:47,195 INFO Initiating secret-container migration, resource id: http://10.8.99.203/openstack-barbican/v1/containers/85e2dee5-0b8c-4d7e-a1b7-a634788d49d7
2025-11-17 15:41:48,147 INFO Migrating associated secret resource: http://10.8.99.203/openstack-barbican/v1/secrets/569d75d1-4798-4891-87b7-764b81f403f4
2025-11-17 15:41:48,148 INFO Initiating secret migration, resource id: http://10.8.99.203/openstack-barbican/v1/secrets/569d75d1-4798-4891-87b7-764b81f403f4
2025-11-17 15:41:50,795 INFO Successfully migrated resource, destination id: https://public2.sunbeam.local/openstack-barbican/v1/secrets/cda7e8eb-a993-4dd4-8302-cc2b83096f65
2025-11-17 15:41:50,802 INFO Migrating associated secret resource: http://10.8.99.203/openstack-barbican/v1/secrets/ee818210-2ff5-4a4f-9153-69c3c83b4003
2025-11-17 15:41:50,802 INFO Initiating secret migration, resource id: http://10.8.99.203/openstack-barbican/v1/secrets/ee818210-2ff5-4a4f-9153-69c3c83b4003
2025-11-17 15:41:53,162 INFO Successfully migrated resource, destination id: https://public2.sunbeam.local/openstack-barbican/v1/secrets/29f27a0e-dcd9-481e-a4ca-f764db1cd6df
2025-11-17 15:41:55,863 INFO Successfully migrated resource, destination id: https://public2.sunbeam.local/openstack-barbican/v1/containers/c02de39b-d379-4b4f-9e93-3392fb5bdf22
--include-dependencies was needed since the secrets are dependent resources
that must exist before the secret container gets created, which only holds
secret references.
Resulting resources:
openstack-migrate list
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Migrations |
+--------------------------------------+----------+------------------+-----------+--------------------------------------+--------------------------------------+
| UUID | Service | Resource type | Status | Source ID | Destination ID |
+--------------------------------------+----------+------------------+-----------+--------------------------------------+--------------------------------------+
| c2e26b76-ec50-45e1-8b82-ceded96cedb3 | barbican | secret | completed | ee818210-2ff5-4a4f-9153-69c3c83b4003 | 29f27a0e-dcd9-481e-a4ca-f764db1cd6df |
| 50921223-33c2-44be-b3f5-17e28f92632d | barbican | secret | completed | 569d75d1-4798-4891-87b7-764b81f403f4 | cda7e8eb-a993-4dd4-8302-cc2b83096f65 |
| e45171a5-fcf1-41a2-9e23-83a74b50116e | barbican | secret-container | completed | 85e2dee5-0b8c-4d7e-a1b7-a634788d49d7 | c02de39b-d379-4b4f-9e93-3392fb5bdf22 |
+--------------------------------------+----------+------------------+-----------+--------------------------------------+--------------------------------------+