IBM Cloud Docs
Learning about Secrets Manager architecture and workload isolation

Learning about Secrets Manager architecture and workload isolation

IBM Cloud® Secrets Manager is a single tenant, dedicated service that is managed by both you and IBM Cloud. To learn more, review the following architecture diagram to see how Secrets Manager can meet the requirements of the sensitive workloads that you want to run in the cloud.

Secrets Manager architecture

The following image shows the main Secrets Manager components, how they interact with each other, and what type of encryption is applied to your personal information.

This image is a visual representation of the architecture for Secrets Manager.
Secrets Manager architecture

  1. A user creates an instance of Secrets Manager. At provisioning, the user can configure a root key from a key management service or choose the default, provider-managed encryption option. A dedicated instance of the service is created.
  2. When a user, CLI, application, or DevOps tool makes a request to the service by using the Secrets Manager UI or APIs, the request is completed through their vault formation.
  3. Service data and secrets are stored in a dedicated Cloud Object Storage bucket.

Secrets Manager workload isolation

Secrets Manager is a single-tenant, dedicated service instance. Each workload is isolated within its own namespace within the data plane of the service clusters.