IBM Cloud Docs
Assigning access to Secrets Manager

Assigning access to Secrets Manager

You can enable different levels of access to IBM Cloud® Secrets Manager resources in your IBM Cloud account by creating and modifying IBM Cloud IAM access policies.

As an account owner, determine an access policy type for users, service IDs, and access groups based on your internal access control requirements. For example, if you want to grant user access to Secrets Manager at the smallest scope available, you can assign access to a secret group in an instance.

To learn more about suggested guidelines for assigning access to secrets, check out Best practices for organizing secrets and assigning access.

Before you begin

Before you get started, be sure that you have Administrator platform access so that you can further assign roles and customize access policies for others.

Assigning access to a Secrets Manager instance

To assign access to a Secrets Manager instance and its contained secrets or secret groups, you can use the Access (IAM) section of the IBM Cloud console.

  1. Create an access group for the users and service IDs that you want to give access to and add those users to the group.

    For example, you might have a group of security admins that might need the same level of access.

  2. After you create a group and add users, go to Manage > Access (IAM) > Access Groups.

  3. Select a table row, and click the Actions menu Actions icon to open a list of options for that access group.

  4. Click Assign access.

  5. From the list of services, select Secrets Manager and click Next.

  6. In the Resources section, select Specific resources. Choose a region and Secrets Manager service instance. Then, click Next.

    If you choose not to provide a specific instance, access is assigned for all instances of the service within the region that you selected. If you choose not to select a region, access is granted for all instances of the service in your account.

  7. Choose a combination of platform and service access roles to assign access for access group.

  8. Review your selections and click Add.

  9. Click Assign.

    Now you can add users and service IDs to the access group so that you can assign access to Secrets Manager with a single access policy. For more information, see Setting up access groups.

Assigning access to a secret group

You can further narrow the scope of access to secrets in your instance by creating and managing secret groupsThe environment and constraints that contained secrets in an instance must adhere to. A user can be associated with a secret group to enable access and collaboration. .

Assigning a separate Viewer access policy to be able to view the service instance is required, in addition to the scoped access policy.

Assigning access to a secret group in the service UI

After you create a secret group for your instance, you can use the Secret groups section of the Secrets Manager UI to manage its access.

  1. In the console, click the Menu icon Menu icon > Resource List to view a list of your resources.

  2. Select your instance of Secrets Manager.

  3. In the navigation, click Secret groups.

  4. Use the Secret groups table to browse the groups in your instance.

  5. In the row of the group that you want to manage, click the Actions menu Actions icon > Manage access.

  6. Select an access group to give its contained users and service IDs access to your secret group.

  7. Choose a combination of access roles to assign.

    If you want to grant the users or service IDs in your access group the ability to access your Secrets Manager service instance from the Resource list in the IBM Cloud console, be sure to assign the Viewer platform role.

  8. Click Review.

  9. Review your selections and click Assign.

Assigning access to a secret group in the console

You can also use the Access (IAM) section of the IBM Cloud console to manage access for your secret groups.

To assign access in the IBM Cloud console, be sure that you have the ID of the secret group that you want to manage. You can copy the ID of a secret group from the Secret groups table in your Secrets Manager service instance.

  1. In the console, go to Manage > Access (IAM) > Access Groups.

  2. In the row for the access group that you want to manage, click the Actions menu Actions icon > Assign access.

  3. Click Assign access.

  4. From the list of services, select Secrets Manager and click Next.

  5. In the Resources section, select Specific resources.

    1. In the Instance ID field, select your Secrets Manager instance. Click Add condition.
    2. In the Resource Type field, enter secret-group. Click Add condition.
    3. In the Resource field, enter the ID that was assigned to your secret group by the Secrets Manager service.
    4. Click Next.

  6. Choose a combination of access roles to assign.

    If you want to grant the users or service IDs in your access group the ability to access your Secrets Manager service instance from the Resource list in the IBM Cloud console, be sure to assign the Viewer platform role.

  7. Review your selections and Add.

  8. Click Assign.

You can't assign access to the default secret group.