Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Pratyay360/podman-ts/llms.txt

Use this file to discover all available pages before exploring further.

SecretsManager is the interface for working with Podman secrets. Access it via client.secrets on any PodmanClient instance. Secrets are named, encrypted blobs — passwords, tokens, certificates — that Podman stores securely and can inject into containers at runtime without exposing them in environment variables or image layers.

SecretsManager methods

create

create(
  name: string,
  data: string | Buffer,
  options?: SecretCreateOptions
): Promise<Secret>
Create a secret and return a Secret instance.
name
string
required
Name for the secret. Must be unique within the Podman daemon.
data
string | Buffer
The secret payload. Pass a string for text secrets (sent as UTF-8). Pass a Buffer for binary secrets — the SDK converts it to a Uint8Array before transmission.
options.driver
string
Secret driver to use (e.g. "file"). Defaults to the daemon’s default driver.
options.driverOpts
Record<string, string>
Driver-specific options.
options.labels
Record<string, string>
Labels to attach to the secret.
options.replace
boolean
If true, replace an existing secret with the same name rather than returning an error.
options.ignore
boolean
If true, silently succeed when a secret with the same name already exists instead of replacing it.
When data is a Buffer, the SDK wraps it in a Uint8Array and omits the Content-Type header so the raw bytes are sent as-is. For string data, Content-Type: text/plain; charset=utf-8 is set automatically.

list

list(options?: { filters?: Record<string, string> }): Promise<Secret[]>
Return all secrets visible to the Podman daemon.
options.filters
Record<string, string>
Key/value filters applied server-side. Common keys include name and label.

get

get(secretId: string): Promise<Secret>
Load a secret by its ID. Throws NotFound if the secret does not exist.

exists

exists(key: string): Promise<boolean>
Return true if a secret with the given ID or name exists, false otherwise.

remove

remove(secretId: string, options?: { all?: boolean }): Promise<void>
Remove a secret by ID. Throws NotFound if the secret does not exist.
options.all
boolean
Remove all secrets. When set, secretId is ignored.

Secret instance methods

A Secret object is returned by create(), get(), and list(). It exposes the following:
Property / MethodType / SignatureDescription
idstring | undefinedThe secret’s unique ID.
namestringThe secret’s name, read from attrs.Spec.Name.
remove(options?: { all?: boolean }): Promise<void>Remove this secret. Pass all: true to delete all secrets in one call.
Use secret.toString() for a human-readable representation: it returns <Secret: name>.

Code examples

Create a secret from a string

import { PodmanClient } from "@pratyay360/podman-ts";

const client = new PodmanClient();

const secret = await client.secrets.create(
  "db-password",
  "s3cr3tPassw0rd!",
);
console.log("Created secret:", secret.id, secret.name);

Create a secret from a Buffer

import { readFileSync } from "node:fs";

// Read a TLS certificate as binary
const certData = readFileSync("/path/to/client.crt");

const secret = await client.secrets.create("tls-cert", certData, {
  labels: { app: "my-service", env: "production" },
});

console.log("Created secret:", secret.name);
Passing a Buffer sends the raw bytes as a Uint8Array without a Content-Type header. This is the correct approach for binary payloads such as certificates or keystore files.

List and inspect secrets

// List all secrets
const secrets = await client.secrets.list();

for (const s of secrets) {
  console.log(s.id, s.name);
}

// Filter by label
const appSecrets = await client.secrets.list({
  filters: { label: "app=my-service" },
});

// Load a specific secret by ID
const secret = await client.secrets.get("db-password");
console.log(secret.toString()); // <Secret: db-password>

Remove a secret

// Remove via the manager
await client.secrets.remove("db-password");

// Or remove via the instance
const secret = await client.secrets.get("tls-cert");
await secret.remove();

Build docs developers (and LLMs) love

Get started for freeTalk to us