Monitoring IBM Cloud® Secrets Manager certificates and secrets expiry

How Secrets Manager sends events

When an event of interest takes place in your Secrets Manager instance, it communicates with a connected Event Notifications instance to forward a notification to a Supported destination.

This tutorial shows you how to configure the following flow:

1. An alert is raised in Secrets Manager.

2. Secrets Manager sends a notification to Event Notifications.

3. Event Notifications creates an email and sends the email to the subscribed user.

Secrets Manager aggregates a list of your pending notifications by event type, the type of secret, and expiry details if they apply. Every few minutes, the service checks for and dispatches any pending notifications to the connected Event Notifications service. For example, you might receive notifications that are similar to the following messages:

• You have five public certificate secrets that expire in 10 days.
• You have 100 imported certificate secrets that expire in 30 days.

You can be notified of a maximum 100 secrets in a single event notification.

Before you begin

You need an IBM Cloud® account. If you don't have an account, then Create an IBM Cloud account.

Create an Event Notifications service instance

1. Log in to your IBM Cloud® account.

2. In the IBM Cloud catalog, search Event Notifications > Event Notifications.

3. Select a Location from the list of supported locations and select a pricing plan.

4. Enter a service name.

5. Select a resource group.

6. Accept the license agreement terms and click Create.

Create an Secrets Manager service instance

1. In the IBM Cloud catalog, search Secrets Manager > Secrets Manager.

2. Select a Location from the list of supported locations and select a pricing plan.

3. Enter a service name.

4. Select a resource group.

5. Accept the license agreement terms and click Create.

Connecting to Event Notifications in the Secrets Manager user interface

1. From the Secrets Manager instance, click Settings.

2. In the Event Notifications section, click Connect.

3. In the side panel, review the source details for the connection. Optionally, provide a description.

4. Select the resource group and Event Notifications service instance that you want to connect to.

If an IAM authorization between Secrets Manager and Event Notifications doesn't exist in your account, a dialog is displayed. Follow the prompts to grant access between the services:

1. To grant access, click Authorize.

2. In the side panel, select Event Notifications as the target service.

3. From the list of instances, select the service instance that you want to authorize.

4. Select the Event Source Manager role.

5. Click Review.

6. Click Assign.

7. To confirm the connection, click Connect.

A success message is displayed to indicate that Secrets Manager is now connected to Event Notifications.

Verify the Secrets Manager source in Event Notifications

1. Click the menu icon > Resource list.

2. Open Services and software.

3. Open the Secrets Manager instance that you created. For more information, see Sending email notifications to Event Notifications.

4. Click Sources.

When you connect to Event Notifications in Secrets Manager, a source, with the same name as your Secrets Manager instance name, is automatically added to your Event Notifications list.

Create an Event Notifications destination

This step ensures that an email destination exists where notifications are forwarded.

1. Click Destinations.

2. Notice in the Destinations list that, by default, an IBM Cloud email service is defined. You do not need to do anything else to configure an email destination.

If you want to add a webhook as a destination, click Add and enter the appropriate information in the Add a destination panel.

Create an Event Notifications topic

Define a topic that receives an event from Secrets Manager.

1. Click Topics.

2. Click Create.

3. In the Topic details panel enter the following details:

   • Enter the Name for your topic. For example, MonitorSecretExpiry.
   • For Source select the Event Notifications source, which has the same name as your Secrets Manager instance.
   • Select an Event Type. For this tutorial, select Secret about to expire.
   • Select an Event subtype. For this tutorial, select Secret expire in 10 days.
   • Select a Severity. For this tutorial, select High Severity.

4. Click Add a condition. If you do not click Add a condition before you click Create, the topic is created with no conditions that are associated with it.

5. Click Create. Your topic is displayed in the Topics list.

Clicking Add a condition without selecting an Event Type sends the test event from Secrets Manager.

Create an Event Notifications email subscription

Configure who receives an email when a notification is processed:

1. Click Subscriptions.

2. Click Create.

3. In the Create a subscription panel enter the following details:

   • Enter the Name for your subscription. For example, SecretExpirySubscription.
   • For Topic, select the topic you created. For example, MonitorSecretExpiry.
   • For Destination, select IBM Cloud email service.
   • For Recipients, enter a valid email address, for example, MyEmail@MyCompany.com.

4. Click Create. Your subscription is added to the Subscriptions list.

Sending test event from Secrets Manager

Send a test event as follows:

1. Click the menu icon > Resource list.

2. Open Services and software.

3. Open the Secrets Manager instance that you created.

4. Click Settings.

5. Click send test event.

You should start receiving notifications at the email address that you configured whenever the criteria defined in both Secrets Manager and Event Notifications match.