> As i known, the secrets are saved in a user's domain, and other project/user can not retrieve the secrets. > But i have a situation that many users need retrieve a same secret. > > After looking into the castellan usage, I see the method that saving the credentials in configuration, > then all operators use this pre-created user to create/retrieve secrets. > I want to know, is this way typical and easy-accepted? Does other projects face this issue? By default, the secrets in Barbican are available at the project-level [1]. I am not sure specifically which project or feature you are referring to that all users need to access to one secret, but I would suggest that editing the Barbican RBAC policy or ACL is a more elegant solution than storing username/pw in the conf file. You can find more details about RBAC at [2] and a sample policy.json file at [3]. Kaitlin Farr 1. https://developer.openstack.org/api-guide/key-manager/acls.html#default-acl 2. https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html 3. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json