IBM Cloud Docs
Known issues and limits

Known issues and limits

IBM Cloud® Secrets Manager includes the following known issues and limits that might impact your experience.

Known issues

Review the following known issues that you might encounter as you use Secrets Manager.

Known issues and limitations that apply to the Secrets Manager service
Issue Workaround
Multiple secrets of the same type can't be created with the same name. It is not possible to create more than one secret of the same type with the same name. This limitation applies at the instance level. To organize similar secrets of the same type across multiple secret groups in your instance, try adding a prefix or suffix to the names of those secrets.
Secrets can't be transferred between secret groups. If you accidentally assign a secret to the wrong secret group, or if you don't want a secret to belong to the default secret group, you must delete the secret and create a new one.
API keys that are associated with an IAM secret aren't valid immediately after they are generated. If you have automation in place that calls the Secrets Manager API to get the API key for an IAM secret, add a wait delay of 2 seconds to allow the new API key to be recognized by IAM.
IAM credentials with a time-to-live (TTL) don't immediately expire. After a secret with a TTL reaches the end of its lease duration, expect a tolerance of 1 - 2 minutes before the secret's associated service ID is deleted by IAM.
Users that have Writer or Manager service access that is scoped to secret groups are unable to create some types of secrets when they use the Secrets Manager UI. If you have Viewer platform access and Writer or Manager service access that is scoped to a Secrets Manager service secret group, it might not be possible to create secrets in the Secrets Manager dashboard that require an engine configuration, for example, IAM credentials, public certificates, or private certificates. As a workaround, you can use the Secrets Manager CLI plug-in, APIs, or SDKs to manage those secret types.
Community plug-ins for Vault are not supported. It is not possible to integrate a community plug-in for Vault with Secrets Manager, unless it is written against a secrets engine that Secrets Manager supports. To manage IBM Cloud secrets by using the full Vault native experience, use the stand-alone IBM Cloud plug-ins for Vault.
When you delete an instance of the service, your API keys are not deleted from IAM. If you have a service ID or API key that was generated by the IAM credentials secret engine and delete your instance of Secrets Manager, you must also delete the secret from IAM.
IAM Custom Roles are not supported when using Vault API. Using IAM Custom Roles is fully supported when using the Secrets Manager service API.

Limits

Consider the following service limits as you use Secrets Manager.

Account limits

The following limits apply per IBM Cloud account.

Secrets Manager limits per account
Resource Limit
Secrets Manager service instances Trial plan: 1 per IBM Cloud account at any time
Standard plan: No limit on number of instances per account

Instance limits

The following limits apply to Secrets Manager service instances.

Secrets Manager limits per instance
Resource Limit
Configurations for secrets engines

Public certificates engine:

  • 10 third-party CA configurations
  • 10 DNS provider configurations
  • 10 certificate templates

Private certificates engine:

  • 10 root certificate authorities
  • 10 intermediate certificate authorities
  • 10 certificate templates
Secret groups 200 per instance
Total secrets No limit per instance

Resource limits

Review the following table to understand the limits that apply to secrets of different types.

Limits for secret groups

The following limits apply to secret groups.

Secret group limits
Attribute Limit
Name 2 - 64 characters
Description 2 - 1024 characters
Labels 2 - 64 characters

30 labels per secret group

Total secrets

Limits for arbitrary secrets

The following limits apply to arbitrary secrets.

Arbitrary secret limits
Attribute Limit
Name 2 - 256 characters

The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character.

Description 2 - 1024 characters
Secret value / payload 1 MB
Labels 2 - 64 characters

30 labels per secret

Versions For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history.
Locks 1000
Custom metadata 10 KB
Version custom metadata 10 KB

Limits for IAM credentials

The following limits apply to IAM credentials.

IAM credential limits
Attribute Limit
Name 2 - 256 characters

The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character.

Description 2 - 1024 characters
Access groups 1 - 10 groups
Labels 2 - 64 characters

30 labels per secret

Time-to-live (TTL) / lease duration Minimum duration is 1 minute. Maximum is 90 days.
Versions 2 versions per secret (current and previous)

A secret version can be retrieved, rotated, or restored only if the defined time-to-live (TTL) or lease duration wasn't reached. For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history.

Locks 1000
Custom metadata 10 KB
Version custom metadata 10 KB

Limits for key-value secrets

The following limits apply to key-value secrets.

Key-value limits
Attribute Limit
Name 2 - 256 characters

The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character.

Description 2 - 1024 characters
Secret value / payload 512 KB
Labels 2 - 64 characters

30 labels per secret

Locks 1000
Custom metadata 10 KB
Version custom metadata 10 KB

Limits for SSL/TLS certificates

The following limits apply to imported, private, or public certificates.

TLS certificate limits
Attribute Limit
Name 2 - 256 characters

The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character.

Description 2 - 1024 characters
Certificate 100 KB

Supported file type is .pem. The certificate must be a valid, X.509-based certificate.

Private key 100 KB

Private key file is limited to PEM-formatted content. If provided, the private key must match the certificate that you are importing. Only unencrypted private keys are supported.

Intermediate certificate 100 KB

Supported file type is .pem. If provided, the intermediate certificate must be a valid, X.509-based certificate.

Labels 2 - 364characters

30 labels per secret

Versions 2 versions per certificate (current and previous)

For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history.

Locks 1000
Custom metadata 10 KB
Version custom metadata 10 KB

Limits for user credentials

The following limits apply to user credentials.

User credential limits
Attribute Limit
Name 2 - 256 characters

The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character.

Description 2 - 1024 characters
Username 2 - 64 characters
Password 6 - 256 characters
Labels 2 - 64 characters

30 labels per secret

Versions For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history.
Locks 1000
Custom metadata 10 KB
Version custom metadata 10 KB

Limits for service credentials

The following limits apply to service credentials.

Service credential limits
Attribute Limit
Name 2 - 256 characters

The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character.

Description 2 - 1024 characters
Labels 2 - 64 characters

30 labels per secret

Versions For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history.
Locks 1000
Custom metadata 10 KB
Version custom metadata 10 KB