Creating a custom credentials engine configuration
After you have created your IBM Cloud® Code Engine project and job, you can create your custom credentials engine configuration. The engine configuration references your Code Engine project and the specific Code Engine job in the project that you'd like to use for a custom credential secret.
Custom credentials have various limitations. You can read about them in the Known issues and limitations page.
Before you begin
Make sure to complete these prerequisites:
- Create a Code Engine project and job.
- Create an IAM credentials secret that allows Code Engine access to Secrets Manager. The credential and IAM authorization allow Code Engine to return information back
to Secrets Manager and make necessary updates to Secrets Manager relevant to your custom credentials secret. The IAM credentials secret must:
- Have an auto rotation policy set.
- Be associated with a service ID or access group that has the following permissions:
secrets-manager.secret-task.update
on the secret group where the custom credential is created.- If applicable,
secrets-manager.secret.read
on any secret group that contains any reference secrets that are needed for the Code Engine job to complete its actions.
- Alternatively, configure a trusted profile for authentication. Refer to the Code Engine documentation for setup details.
- Create an IAM service authorization between Secrets Manager as the Source and Code Engine project as the Target.
Creating your custom credentials engine configuration in the console
Navigate to the Custom credentials screen inside the Secret engines navigation, then create the configuration for your custom credentials by entering the relevant information in the console.
-
In the Secrets engines page, click the Custom credentials tab.
-
Click Add configuration
- Provide a configuration name.
- Select the region where your Code Engine project was created.
- Select the job that was created for this custom credentials secret.
- When creating the configuration you are prompted to create an IAM service authorization between Secrets Manager as Source and Code Engine as Target, if not previously created.
- Select the IAM Credentials secret you have previously created or create one in-context.
-
Click Add.
Creating your custom credentials engine configuration using the API
You can create a custom credentials engine configuration programmatically by calling the Secrets Manager API. When you call the API, replace the api_key_ref
and code_engine
variables, and the IAM token with the values
that are specific to your Secrets Manager instance. You can optionally supply a task_timeout
parameter to customize the task timeout.
curl -X POST
-H "Authorization: Bearer {IAM_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"name": "my_config",
"config_type": "custom_credentials_configuration",
"api_key_ref": "a2f9c2e4-a3a8-c508-2bed-fcb7c26843ca",
"code_engine": {
"job_name": "code-engine-job-name",
"project_id": "12345678-5120-4a18-832a-4ba122496633",
"region": "us-south"
},
"task_timeout": "50m"
}'
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/configurations"
Creating your custom credentials engine configuration from CLI
Before you begin, follow the CLI docs to set your API endpoint.
To create a custom credentials engine configuration by using the Secrets Manager CLI plug-in, run the ibmcloud secrets-manager configuration-create
command. You can optionally use the --configuration-task-timeout
flag to customize the task timeout.
ibmcloud secrets-manager configuration-create --config-type=custom_credentials_configuration --name=my-custom-credentials-config --custom-credentials-apikey-ref IAM_credentials_secret_ID --custom-credentials-code-engine '{"project_id":"12345678-5120-4a18-832a-4ba122496633", "region":"us-south", "job_name":"code-engine-job-name"}'
Creating your custom credentials engine configuration using Terraform
You can create a custom credentials engine configuration by using Terraform for Secrets Manager.
resource "ibm_sm_custom_credentials_configuration" "sm_custom_credentials_configuration_instance" {
instance_id = ibm_resource_instance.sm_instance.guid
region = "us-south"
name = "example-custom-credentials-config"
api_key_ref = ibm_sm_iam_credentials_secret.my_secret_for_custom_credentials.secret_id
code_engine {
project_id = ibm_code_engine_project.my_code_engine_project.project_id
job_name = "my_code_engine_job"
region = "us-south"
}
task_timeout = "10m"
}
Next steps
Once you have created your custom credentials engine configuration, you can now create a custom credentials secret.