Appearance
plexctl credential
Synopsis
plexctl credential is the operator surface for the OpenBao Credential Broker pool and the per-Project Credential Assignment lifecycle. It spans two /v1 surfaces under a single cobra parent:
/v1/projects/{project_id}/credentials(list) and/v1/credentials/{id}(get, revoke, rotate) — the per-Project credential pool./v1/projects/{project_id}/credential-assignments(list, request) and/v1/credential-assignments/{id}/{approve,reject,revoke}— assignment lifecycle under the nestedplexctl credential assignmentsubgroup.
text
plexctl credential <subcommand> [flags]
plexctl credential assignment <subcommand> [flags]Subcommands
plexctl credential list
GETs /v1/projects/{project_id}/credentials (the --project-id flag is required). Returns metadata only.
plexctl credential get <id>
GETs /v1/credentials/{id}. Returns metadata only.
plexctl credential revoke <id>
POSTs /v1/credentials/{id}/revoke. Requires --yes and a --reason audit-rationale string.
plexctl credential rotate <id>
POSTs /v1/credentials/{id}/rotate. The caller passes the new material payload via --material-file or --material-base64 (mutually exclusive). --expected-version carries the broker-row version the caller observed; a mismatch surfaces as 409 conflict. --ttl-seconds declares the lifetime budget for the refreshed credential. Optional --key-value flags carry flat provider-specific key/value pairs (repeatable).
plexctl credential assignment request
POSTs /v1/projects/{project_id}/credential-assignments. Required flags: --project-id, --cloud-credential-id.
plexctl credential assignment list
GETs /v1/projects/{project_id}/credential-assignments (the --project-id flag is required). Pagination is keyset-based via --cursor / --limit.
plexctl credential assignment approve <id>
POSTs /v1/credential-assignments/{id}/approve. Requires the domain-admin role (server-side gate).
plexctl credential assignment reject <id>
POSTs /v1/credential-assignments/{id}/reject. Requires the domain-admin role and the --reason audit-rationale string.
plexctl credential assignment revoke <id>
POSTs /v1/credential-assignments/{id}/revoke. Either party (the project requester or the domain admin) may revoke; requires --yes and a --reason audit-rationale string.
Flags
plexctl credential list
| Flag | Type | Required | Description |
|---|---|---|---|
--project-id | UUID | yes | Owning Project UUID. |
--limit | int | no | Maximum items per page (server default when zero). |
--cursor | string | no | Continuation token from a previous call. |
plexctl credential revoke <id>
| Flag | Type | Required | Description |
|---|---|---|---|
--reason | string | yes | Audit-recorded revocation rationale. |
--yes (persistent) | bool | yes | Required confirmation for the destructive operation. |
plexctl credential rotate <id>
| Flag | Type | Required | Description |
|---|---|---|---|
--expected-version | int64 | yes | Broker-row version the caller observed. |
--ttl-seconds | int64 | yes | Lifetime budget for the refreshed credential, in seconds. |
--material-file | path | conditional | Path to the new secret payload. Mutually exclusive with --material-base64. |
--material-base64 | string | conditional | New secret payload encoded as base64. Mutually exclusive with --material-file. |
--key-value | string slice | no | Optional flat KV pair in key=value form, repeatable. |
plexctl credential assignment request
| Flag | Type | Required | Description |
|---|---|---|---|
--project-id | UUID | yes | Owning Project UUID. |
--cloud-credential-id | UUID | yes | Cloud Credential UUID to bind. |
plexctl credential assignment list
| Flag | Type | Required | Description |
|---|---|---|---|
--project-id | UUID | yes | Owning Project UUID. |
--limit | int | no | Maximum items per page (server default when zero). |
--cursor | string | no | Continuation token from a previous call. |
plexctl credential assignment reject <id>
| Flag | Type | Required | Description |
|---|---|---|---|
--reason | string | yes | Audit-recorded rejection rationale. |
plexctl credential assignment revoke <id>
| Flag | Type | Required | Description |
|---|---|---|---|
--reason | string | yes | Audit-recorded revocation rationale. |
--yes (persistent) | bool | yes | Required confirmation for the destructive operation. |
Destructive subcommands
plexctl credential revoke and plexctl credential assignment revoke consume the persistent --yes flag — both reject the call without explicit confirmation.
Persistent flags inherited from root
--server, --profile, --token-file, --output, --yes, --reveal-secrets. See ../plexctl.md.
Exit codes
See ../plexctl.md#exit-code-taxonomy.
Examples
Rotate a Cloud Credential
shell
plexctl credential rotate 0190a8b8-a0c0-7a0a-8a0a-a0a0a0a0a0a1 \
--server "${PLEXSPHERE_URL}" \
--expected-version 3 \
--ttl-seconds 86400 \
--material-file /var/secrets/aws-key-2026-05.jsonRequest a Credential Assignment
shell
plexctl credential assignment request \
--server "${PLEXSPHERE_URL}" \
--project-id 0190a8b8-a0c0-7a0a-8a0a-a0a0a0a0a0c0 \
--cloud-credential-id 0190a8b8-a0c0-7a0a-8a0a-a0a0a0a0a0a1