Known issues and limits
IBM Cloud® Secrets Manager includes the following known issues and limits that might impact your experience.
Known issues
Review the following known issues that you might encounter as you use Secrets Manager.
| Issue | Workaround |
|---|---|
| Multiple secrets of the same type can't be created with the same name. | It is not possible to create more than one secret of the same type with the same name. This limitation applies at the instance level. To organize similar secrets of the same type across multiple secret groups in your instance, try adding a prefix or suffix to the names of those secrets. |
| Secrets can't be transferred between secret groups. | If you accidentally assign a secret to the wrong secret group, or if you don't want a secret to belong to the default secret group, you must delete the secret and create a new one. |
| API keys that are associated with an IAM secret aren't valid immediately after they are generated. | If you have automation in place that calls the Secrets Manager API to get the API key for an IAM secret, add a wait delay of 2 seconds to allow the new API key to be recognized by IAM. |
| IAM credentials with a time-to-live (TTL) don't immediately expire. | After a secret with a TTL reaches the end of its lease duration, expect a tolerance of 1 - 2 minutes before the secret's associated service ID is deleted by IAM. |
| Users that have Writer or Manager service access that is scoped to secret groups are unable to create some types of secrets when they use the Secrets Manager UI. | If you have Viewer platform access and Writer or Manager service access that is scoped to a Secrets Manager service secret group, it might not be possible to create secrets in the Secrets Manager dashboard that require an engine configuration, for example, IAM credentials, public certificates, or private certificates. As a workaround, you can use the Secrets Manager CLI plug-in, APIs, or SDKs to manage those secret types. |
| Community plug-ins for Vault are not supported. | It is not possible to integrate a community plug-in for Vault with Secrets Manager, unless it is written against a secrets engine that Secrets Manager supports. To manage IBM Cloud secrets by using the full Vault native experience, use the stand-alone IBM Cloud plug-ins for Vault. |
| When you delete an instance of the service, your API keys are not deleted from IAM. | If you have a service ID or API key that was generated by the IAM credentials secret engine and delete your instance of Secrets Manager, you must also delete the secret from IAM. |
| IAM Custom Roles are not supported when using Vault API. | Using IAM Custom Roles is fully supported when using the Secrets Manager service API. |
Limits
Consider the following service limits as you use Secrets Manager.
Account limits
The following limits apply per IBM Cloud account.
| Resource | Limit |
|---|---|
| Secrets Manager service instances | Trial plan: 1 per IBM Cloud account at any time Standard plan: No limit on number of instances per account |
Instance limits
The following limits apply to Secrets Manager service instances.
| Resource | Limit |
|---|---|
| Configurations for secrets engines |
Public certificates engine:
Private certificates engine:
|
| Secret groups | 200 per instance |
| Total secrets | No limit per instance |
Resource limits
Review the following table to understand the limits that apply to secrets of different types.
Limits for secret groups
The following limits apply to secret groups.
| Attribute | Limit |
|---|---|
| Name | 2 - 64 characters |
| Description | 2 - 1024 characters |
| Labels | 2 - 64 characters
30 labels per secret group |
| Total secrets | – |
Limits for arbitrary secrets
The following limits apply to arbitrary secrets.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Secret value / payload | 1 MB |
| Labels | 2 - 64 characters
30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for IAM credentials
The following limits apply to IAM credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Access groups | 1 - 10 groups |
| Labels | 2 - 64 characters
30 labels per secret |
| Time-to-live (TTL) / lease duration | Minimum duration is 1 minute. Maximum is 90 days. |
| Versions | 2 versions per secret (current and previous)
A secret version can be retrieved, rotated, or restored only if the defined time-to-live (TTL) or lease duration wasn't reached. For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for key-value secrets
The following limits apply to key-value secrets.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Secret value / payload | 512 KB |
| Labels | 2 - 64 characters
30 labels per secret |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for SSL/TLS certificates
The following limits apply to imported, private, or public certificates.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Certificate | 100 KB
Supported file type is |
| Private key | 100 KB
Private key file is limited to PEM-formatted content. If provided, the private key must match the certificate that you are importing. Only unencrypted private keys are supported. |
| Intermediate certificate | 100 KB
Supported file type is |
| Labels | 2 - 364characters
30 labels per secret |
| Versions | 2 versions per certificate (current and previous)
For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for user credentials
The following limits apply to user credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Username | 2 - 64 characters |
| Password | 6 - 256 characters |
| Labels | 2 - 64 characters
30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for service credentials
The following limits apply to service credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Labels | 2 - 64 characters
30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |