Creating custom credentials secrets
The custom credentials secret type enables IBM Cloud® Secrets Manager users to securely manage credentials for external systems (such as Artifactory or PagerDuty) through Secrets Manager APIs and integrations. To create these secrets, you deploy an IBM Cloud® Code Engine job that acts as a bridge between Secrets Manager and the external service. These jobs run on a fixed schedule and manage credentials asynchronously by using secret tasks.
The process for creating custom credentials is asynchronous by design. When a new secret is added, it initially enters a pre-activation state. If the secret is successfully created in the external credentials provider, its state automatically becomes active within Secrets Manager.
The custom credentials secrets creation process is asynchronous. After a secret is added, it begins in pre-activation state and if created successfully in the credentials provider, its state changes to active in Secrets
Manager.
Before you begin
Before you get started, make sure that you have:
- The required level of access. To create or add secrets, you need the Writer service role or higher.
- Configured your instance to create custom credentials secrets by creating a Code Engine job and custom credentials engine configuration.
Creating a custom credentials secret in the console
To add a secret:
- In the Secrets table, click Add.
- From the list of secret types, click the Custom credentials tile.
- Click Next.
- Add a name and description to easily identify your secret.
- Select the secret groupThe environment and constraints that contained secrets in an instance must adhere to. A user can be associated with a secret group to enable access and collaboration. that you have previously created.
- Optional: Add labels to help you to search for similar secrets in your instance.
- Optional: Add metadata to your secret or to a specific version of your secret.
- Upload a file or enter the metadata and the version metadata in JSON format.
- Click Next.
- Select the custom credentials engine configuration to use for this secret.
- Enter the required values under Parameters.
- Click Next.
- Optional: Enable least duration and automatic rotation of your secret.
- Click Next.
- Review the details of your secret.
- Click Add.
You can change the value of the parameters later. The change takes place after a new secret version is created. You cannot add or subtract new parameters without creating a new configuration.
Viewing and updating secret details in the console
As with any other secret, you can access your secret details by clicking the click the Actions menu 
> Details. From the details screens, you can learn about:
Creating a custom credentials secret from CLI
Before you begin, follow the CLI docs to set your API endpoint.
To create a custom credentials secret by using the Secrets Manager CLI plug-in, run the ibmcloud secrets-manager secret-create command.
ibmcloud secrets-manager secret-create --secret-type custom_credentials --secret-name "example-custom-credential-secret" --secret-description "Description of my custom credential secret" --secret-rotation '{"auto_rotate": true,"interval": 30,"unit": "day"}' --custom-credentials-paramters '{"my_input_parameter":"my_param_value"}' --custom-credentials-configuration '{"my_custom_credential_config"}' --secret-custom-metadata '{"metadata_custom_key": "metadata_custom_value"},"version_custom_metadata": {"custom_version_key": "custom_version_value"}}'
Creating a custom credentials secret using API
You can create a custom credential programmatically by calling the Secrets Manager API. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.
You can store metadata that are relevant to the needs of your organization with the custom_metadata and version_custom_metadata request parameters. Values of the version_custom_metadata are returned only
for the versions of a secret. The custom metadata of your secret is stored as all other metadata, for up to 50 versions, and you must not include confidential data.
curl -X POST
-H "Authorization: Bearer {IAM_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"name": "example-custom-credential-secret",
"description": "Description of my custom credential secret",
"secret_type": "custom_credentials",
"secret_group_id": "bfc0a4a9-3d58-4fda-945b-76756af516aa",
"labels": [
"dev",
"us-south"
],
"rotation": {
"auto_rotate": true,
"interval": 30,
"unit": "day"
},
"configuration": "my_custom_credential_config",
"parameters": {
"user_name": "username",
"scope": "admin"
},
"custom_metadata": {
"metadata_custom_key": "metadata_custom_value"
},
"version_custom_metadata": {
"custom_version_key": "custom_version_value"
}
}'
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets"
Creating a custom credentials secret by using Terraform
You can create custom credentials secrets programmatically by using Terraform for Secrets Manager. The following example shows a configuration that you can use to create a custom credentials secret.
Creating custom credentials secrets is an asynchronous process that can potentially take a long time depending on the use-case, therefore when planning to use Terraform potential delays should be considered.
resource "ibm_sm_custom_credentials_secret" "sm_custom_credentials_secret" {
instance_id = ibm_resource_instance.sm_instance.guid
region = "us-south"
name = "secret-name"
secret_group_id = ibm_sm_secret_group.sm_secret_group.secret_group_id
custom_metadata = {"key":"value"}
description = "Extended description for this secret."
labels = ["my-label"]
configuration = "my_custom_credentials_configuration"
parameters {
int_values = {
example_param_1 = 17
}
string_values = {
example_param_2 = "str2"
example_param_3 = "str3"
}
bool_values = {
example_param_4 = false
}
}
rotation {
auto_rotate = true
interval = 3
unit = "day"
}
ttl = "864000"
}