Regions and endpoints

Review region and connectivity options for interacting with IBM Cloud® Secrets Manager.

Supported regions

You can create Secrets Manager resources in one of the supported IBM Cloud regions, which represents the geographic area where your Secrets Manager requests are handled and processed.

Dallas (us-south)
Frankfurt (eu-de)
London (eu-gb)
Madrid (eu-es)
Osaka (jp-osa)
Sao Paulo (br-sao)
Sydney (au-syd)
Tokyo (jp-tok)
Toronto (ca-tor)
Washington DC (us-east)

Service endpoints

You can use the Secrets Manager APIs to manage your secrets programmatically. Secrets Manager offers two connectivity options for interacting with its service APIs.

Public endpoints: By default, you can connect to resources in your account over the IBM Cloud public network. Your data is encrypted in transit by using the Transport Security Layer (TLS) 1.2 protocol.
Private endpoints: To further secure your connection, you can also enable virtual routing and forwarding (VRF) and service endpoints for your infrastructure account. When you enable VRF for your account, you can connect to Secrets Manager by using a private IP that is accessible only through the IBM Cloud private network.

Public endpoints

If you are managing your Secrets Manager resources over a public network, see the following table to determine the API endpoints to use when you connect to the Secrets Manager API.

Table 1. Public endpoints for interacting with Secrets Manager by using the native Vault APIs
Region	Endpoint URL
Dallas	`https://{instance_ID}.us-south.secrets-manager.appdomain.cloud`
Frankfurt	`https://{instance_ID}.eu-de.secrets-manager.appdomain.cloud`
London	`https://{instance_ID}.eu-gb.secrets-manager.appdomain.cloud`
Madrid	`https://{instance_ID}.eu-es.secrets-manager.appdomain.cloud`
Osaka	`https://{instance_ID}.jp-osa.secrets-manager.appdomain.cloud`
Sao Paulo	`https://{instance_ID}.br-sao.secrets-manager.appdomain.cloud`
Sydney	`https://{instance_ID}.au-syd.secrets-manager.appdomain.cloud`
Tokyo	`https://{instance_ID}.jp-tok.secrets-manager.appdomain.cloud`
Toronto	`https://{instance_ID}.ca-tor.secrets-manager.appdomain.cloud`
Washington DC	`https://{instance_ID}.us-east.secrets-manager.appdomain.cloud`

Ready to try the APIs? To interact with a Swagger UI from your browser, add api/v2/swagger-ui to your service endpoint URL. For example, https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/swagger-ui.

Private endpoints

If you need to manage your Secrets Manager resources over a private network, see the following table to determine the API endpoints to use when you connect to the Secrets Manager API.

To learn how to configure your Secrets Manager instance to use private endpoints, see Securing your connection to Secrets Manager.

Table 2. Private endpoints for interacting with Secrets Manager by using the native Vault APIs
Region	Endpoint URL
Dallas	`https://{instance_ID}.private.us-south.secrets-manager.appdomain.cloud`
Frankfurt	`https://{instance_ID}.private.eu-de.secrets-manager.appdomain.cloud`
London	`https://{instance_ID}.private.eu-gb.secrets-manager.appdomain.cloud`
Madrid	`https://{instance_ID}.private. eu-es.secrets-manager.appdomain.cloud`
Osaka	`https://{instance_ID}.private.jp-osa.secrets-manager.appdomain.cloud`
Sao Paulo	`https://{instance_ID}.private.br-sao.secrets-manager.appdomain.cloud`
Sydney	`https://{instance_ID}.private.au-syd.secrets-manager.appdomain.cloud`
Tokyo	`https://{instance_ID}.private.jp-tok.secrets-manager.appdomain.cloud`
Toronto	`https://{instance_ID}.private.ca-tor.secrets-manager.appdomain.cloud`
Washington DC	`https://{instance_ID}.private.us-east.secrets-manager.appdomain.cloud`

Viewing your endpoint URLs

You can find your service endpoint URLs in the Endpoints page of the Secrets Manager UI. If you need to retrieve your service endpoint URLs programmatically, you can also call the following API to retrieve the values that are specific to your Secrets Manager instance.

curl -X GET  
    -H "Accept: application/json" \
    -H "Authorization: Bearer {IAM_token}"
"https://{region}.secrets-manager.cloud.ibm.com/api/v1/instances/{url_encoded_instance_CRN}/endpoints"

Replace the variables in the example request according to the following table.

Table 3. Required parameters for retrieving service endpoints with the API
Parameter	Description
`{region}`	The region abbreviation that represents the geographic area where your Secrets Manager resides. For example, `us-south` or `eu-de`.
`{url_encoded_instance_CRN}`	The Cloud Resource Name (CRN) that uniquely identifies your Secrets Manager service instance. The value must be URL encoded.
`{IAM_token}`	Your IBM Cloud IAM access token.

A successful request returns the endpoint URLs that are associated with the region and service instance CRN that you specify. The following JSON snippet shows an example response.

{
    "plan": "standard",
    "public_endpoints": {
        "service_api": "https://927fb8ae-1ddd-4483-a21f-7d3c0fc81234.us-south.secrets-manager.appdomain.cloud/api",
        "vault_api": "https://927fb8ae-1ddd-4483-a21f-7d3c0fc81234.us-south.secrets-manager.appdomain.cloud"
    },
    "private_endpoints": {
        "service_api": "https://927fb8ae-1ddd-4483-a21f-7d3c0fc1234.private.us-south.secrets-manager.appdomain.cloud/api",
        "vault_api": "https://927fb8ae-1ddd-4483-a21f-7d3c0fc81234.private.us-south.secrets-manager.appdomain.cloud"
    },
    "encryption": {
      "provider_managed_encryption": "key_protect",  
      "encryption_key_crn": "crn:v1:staging:public:kms:us-south:a/791f5fb10986423e97aa8512f181234:31639268-42e8-4420-9872-590a6ee21234:key:b4af8f76-e6ea-4dc5-89cc-5f1b9bb1234"
    }
}

To try this API, you can interact with the following Swagger UI from your browser: https://{region}.secrets-manager.cloud.ibm.com/swagger-ui.

If your instance is configured with the Private only option, this API returns only the private_endpoints object in the response.