Barbican (Secret) 

# list all secrets
openstack secret list
 
# download
openstack secret get https://barbican.service.example.com/v1/secrets/d5794ec0-a86f-420f-8d03-b1b11b4251bd
  --payload_content_type application/octet-stream \
  --file /tmp/file1.out 
 
# Crate secret / certificate
openstack secret store --name=cert1 -t "application/octet-stream" -e base64 --payload="$(base64 < cert1.p12)"

ACL
https://docs.openstack.org/python-barbicanclient/latest/cli/cli_usage.html

# list allowed user
openstack acl get https://barbican.service.example.com/v1/secrets/1111111-2222-3333-4444-5555555555555
 
# allow access for user to secret
openstack acl user add -u ${USER_ID} https://barbican.service.example.com/v1/secrets/1111111-2222-3333-4444-5555555555555

Test
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/orchestration/integrate-with-openstack-platform/openstack-configuring-lbaasv2-using-command-line.html

barbican secret container create \
    --name="certificate1" \
    --type="certificate" \
    --secret="certificate=https://barbican.service.stage.example.com/v1/secrets/713293b2-e210-43ea-b965-b06351703ff4" \
    --secret="private\_key=http://localhost:9311/v1/secrets/1b9e1a93-2aeb-4101-8002-e52acab987b0"
 
# allow access
openstack acl user add --user ${USER_ID} --project-access --operation-type read ${SECRET_ID}
openstack acl get ${SECRET_ID}

Links
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/manage_secrets_with_openstack_key_manager/managing_secrets_in_barbican
https://docs.openstack.org/api-guide/key-manager/containers.html#retrieve-container