Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Secret payloads are NEVER returned by any Barbican MCP tool
Only metadata is exposed: name, type, status, algorithm, bit_length, expiration
To retrieve actual secret values, use the OpenStack CLI with appropriate RBAC
No write or admin tiers exist for Barbican — all 5 tools are read-only
Guardrails
UUID validation: secret_id and container_id validated before API call
No payload access: By design, the MCP server never fetches or returns secret payload content
Gotchas
Payload is NEVER returned. For security, the MCP tools only return secret metadata (name, type, algorithm, status, expiration). The actual secret value/payload is never exposed through these tools. Do not tell users you can retrieve secret contents.
secret_id is a UUID, not the secret_ref URL. Barbican internally uses secret_ref (a full URL like https://keymanager.example.com/v1/secrets/<uuid>). The MCP tool expects only the UUID portion, not the full URL.
Expiration can be null. Not all secrets have an expiration date. A null expiration means the secret never expires. Do not assume all secrets rotate automatically.
secret_type determines usage context.certificate = TLS certs (used by Octavia for TERMINATED_HTTPS). symmetric = encryption keys. passphrase = passwords. opaque = arbitrary data. Understanding the type helps identify what service consumes it.
Status "ACTIVE" means usable. Secrets in non-ACTIVE states may have failed creation or been soft-deleted. Only ACTIVE secrets can be consumed by other services.
Certificates used by load balancers. Octavia's TERMINATED_HTTPS listeners reference Barbican secrets of type certificate. To find which cert a listener uses, get the listener details and look for the certificate reference.
Algorithm and bit_length may be empty. These fields are informational and only populated if the creator set them. They are not enforced by Barbican.
Common Workflows
List All Certificates Approaching Expiration
barbican_list_secrets with secret_type=certificate — get all certificate secrets.
Check expiration field on each result.
Flag any certificates expiring within 30 days for renewal.
Find the Certificate Used by a Load Balancer
octavia_list_listeners with loadbalancer_id=<uuid> — find TERMINATED_HTTPS listeners.
Note the certificate container reference from the listener details.
barbican_get_secret with the secret UUID — verify certificate metadata and expiration.
Audit Project Secrets
barbican_list_secrets — enumerate all secrets in the project.
Group by secret_type to understand the distribution (certs vs keys vs passphrases).
Check expiration for any expired secrets that should be cleaned up.