I drew a diagram based on the anoncreds_demo to figure out how to use ursa, but I'm not sure if the issuer will/should know the master secret. According to Indy SDK doc and the demo, a master secret is a special piece of data that’s inserted into a credential in blinded form and is given to issuer directly in plaintext.

The link secret is known only to the Prover. A blinded commitment to the link secret is provided to the Issuer for inclusion into the credential signature.