IBM Cloud Docs
Accessing secrets

Accessing secrets

After you store secrets in your IBM Cloud® Secrets Manager service instance, you can retrieve their values.

Before you begin

Before you begin, be sure that you have the required level of access. To view a list of your available secrets, you need the Reader service role or higher. To retrieve the value of a secret, you need the SecretsReader service role or higher.

Retrieving a secret in the UI

You can retrieve a secret by using the Secrets Manager UI. Follow these steps to get your secret.

  1. In the Secrets table, click the Actions menu Actions icon to open a list of options for your secret.
  2. To view the secret value, click View secret.
  3. Click Confirm after you ensure that you are in a safe environment.

The secret value is displayed for 15 seconds, then the dialog closes.

You can also retieve a secret's details such as expiration date, and rotation interval or state.

  1. In the Secrets table, click the Actions menu Actions icon to open a list of options for your secret.
  2. To view the secret value, click Details.

You can further filter retrieved secrets from the filter option in the Secrets table, and select a secret group and/or secret type.

You can also retrieve secrets programmatically by using the CLI, API, or SDKs. To see the steps, switch to the CLI or API instructions.

Downloading certificates

To download a certificate by using the Secrets Manager UI, complete the following steps.

  1. In the console, click the Menu icon Menu icon > Resource List.

  2. From the list of services, select your instance of Secrets Manager.

  3. In the Secrets table, open the overflow menu for the certificate that you want to download.

  4. Click Download. The certificate file is downloaded to your local system.

    After your secret has been rotated, you can click Download previous to obtain the previous version of your certificate.

Retrieving a secret from the CLI

After you store a secret in your instance, you might need to retrieve its value so that you can connect to an external app or get access to a protected service. You can retrieve the value of a secret by using the Secrets Manager CLI plug-in.

To get the value of a secret as well as review its details such as expiration date and rotation interval or state, run the ibmcloud secrets-manager secret command.

ibmcloud secrets-manager secret --id SECRET_ID

The command outputs the value of the secret, along with other metadata. For more information about the command options, see ibmcloud secrets-manager secret.

You can also get a secret by using its Name:

ibmcloud secrets-manager secret-by-name --secret-type SECRET_TYPE --name SECRET_NAME --secret-group-name SECRET_GROUP_NAME

You can further filter retrieved secrets by using the --secret-types and --match-all-labels optional flags.

Downloading certificates

When you're working with certificates, you might need the ability to download the payload of a certificate into a pem file by using the CLI. To do so, you can use the Secrets Manager CLI plug-in and jq.

To store the certificate into a pem file, run the ibmcloud secrets-manager secret command.

ibmcloud secrets-manager secret --id=SECRET_ID | jq -r '.certificate' | sed 's/\\n/\n/g' > my-cert-file.pem

The command outputs the value of the certificate and stores it to my-cert-file.pem. For more information about the command options, see ibmcloud secrets-manager secret.

Retrieving a secret with the API using secret ID

After you store a secret in your instance, you might need to retrieve its value so that you can connect to an external app or get access to a protected service. You can retrieve the value of a secret by using the Secrets Manager API.

The following example request retrieves a secret and its details, such as expiration date and rotation interval or state. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.

curl -X GET 
    -H "Authorization: Bearer {iam_token}" \
    -H "Accept: application/json" \ 
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/{secret_ID}"

A successful response returns the value of the secret, along with other metadata. For more information about the required and optional request parameters, see Get a secret.

You can further filter retrieved secrets by using the ?secret_types and ?match_all_labels optional parameters.

Retrieving a secret with the API using secret Name

You can also retrieve the secret's value by reference its Name instead of ID:

curl -X GET 
    -H "Authorization: Bearer {iam_token}" \
    -H "Accept: application/json" \ 
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secret_groups/{secret_group_name}/secret_types/{secret_type}/secrets/{secert_name}"

Note that you need to specify the secret's name, secret group name and secret_type.

You can further filter retrieved secrets by using the ?secret_types and ?match_all_labels optional parameters.

Retrieving arbitrary secrets that contain binary data

If you created an arbitrary secret by using a binary file, such as an image, the service uses base64 encoding to store the data as a base64 encoded string. To access the secret in its original form, you need to complete a few extra steps to base64 decode your retrieved secret.

First, retrieve the secret by calling the Secrets Manager API. The following example uses cURL and jq to collect the payload value of a secret.

export ARBITRARY_SECRET=`curl -X GET  
    -H "Authorization: Bearer $IAM_TOKEN" \
    -H "Accept: application/json" 
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/arbitrary/{id}" | jq --raw-output '.payload | sub(".*,"; "")'`

If you inspect the contents of $ARBITRARY_SECRET, you see base64 encoded data. The following snippet shows an example output.

echo $ARBITRARY_SECRET
eUdB68klDSrzSKgWcQS5...(truncated)

To view the secret in its original form (binary file), you can use base64 decoding. The following example uses the base64 macOS utility to base64 decode the $ARBITRARY_SECRET contents.

echo $ARBITRARY_SECRET | base64 --decode > my-secret.png

The data is converted back to a binary file that you can open from your local computer.

Downloading the previous version of a certificate

After you rotate a certificate, you can programmatically access its previous version by using the Secrets Manager API.

The following example request retrieves a secret and its contents. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.

curl -X GET  
   --header "Authorization: Bearer {iam_token}" \
   --header "Accept: application/json" \
   "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/{id}/versions/previous"