Regions and endpoints

Review region and connectivity options for interacting with IBM Cloud® Secrets Manager.

Supported regions

You can create Secrets Manager resources in one of the supported IBM Cloud regions, which represents the geographic area where your Secrets Manager requests are handled and processed.

Americas

  • Dallas (us-south)
  • Washington DC (us-east)
  • Toronto (ca-tor)
  • Montreal (ca-mon)
  • Sao Paulo (br-sao)

Europe

  • London (eu-gb)
  • Frankfurt (eu-de)
  • Madrid (eu-es)

Asia Pacific

  • Tokyo (jp-tok)
  • Osaka (jp-osa)
  • Sydney (au-syd)
  • Mumbai - Airtel (in-mum)
  • Chennai - Airtel (in-che)

Service endpoints

You can use the Secrets Manager APIs to manage your secrets programmatically. Secrets Manager offers two connectivity options for interacting with its service APIs.

Private endpoints
By default, a Secrets Manager instance will have only a private endpoint. Private endpoints provide secure connectivity to Secrets Manager over the IBM Cloud private network without requiring traffic to traverse the public internet. You can connect using Virtual Private Endpoint (VPE) gateways or through Cloud Service Endpoints (CSE). For more information, see Securing your connection to Secrets Manager.
Public endpoints
Use public endpoints to connect to Secrets Manager in your account over the IBM Cloud public network. Your data is encrypted in transit by using the Transport Security Layer (TLS) 1.2 protocol. When a Secrets Manager instance is configured with public endpoints, it also has a private endpoint in addition by default.

Service endpoints

If you need to manage your Secrets Manager resources, see the following table to determine the API endpoints to use when you connect to the Secrets Manager API.

To learn how to configure your Secrets Manager instance to use private endpoints, see Securing your connection to Secrets Manager.

Public endpoints for interacting with Secrets Manager
Region Endpoint URL
Americas
Dallas https://{instance_ID}.us-south.secrets-manager.appdomain.cloud
Washington DC https://{instance_ID}.us-east.secrets-manager.appdomain.cloud
Toronto https://{instance_ID}.ca-tor.secrets-manager.appdomain.cloud
Montreal https://{instance_ID}.ca-mon.secrets-manager.appdomain.cloud
Sao Paulo https://{instance_ID}.br-sao.secrets-manager.appdomain.cloud
Europe
London https://{instance_ID}.eu-gb.secrets-manager.appdomain.cloud
Frankfurt https://{instance_ID}.eu-de.secrets-manager.appdomain.cloud
Madrid https://{instance_ID}.eu-es.secrets-manager.appdomain.cloud
Asia Pacific
Tokyo https://{instance_ID}.jp-tok.secrets-manager.appdomain.cloud
Osaka https://{instance_ID}.jp-osa.secrets-manager.appdomain.cloud
Sydney https://{instance_ID}.au-syd.secrets-manager.appdomain.cloud
Mumbai - Airtel https://{instance_ID}.in-mum.secrets-manager.appdomain.cloud
Chennai - Airtel https://{instance_ID}.in-che.secrets-manager.appdomain.cloud
Private endpoints for interacting with Secrets Manager
Region Endpoint URL
Americas
Dallas https://{instance_ID}.private.us-south.secrets-manager.appdomain.cloud
Washington DC https://{instance_ID}.private.us-east.secrets-manager.appdomain.cloud
Toronto https://{instance_ID}.private.ca-tor.secrets-manager.appdomain.cloud
Montreal https://{instance_ID}.private.ca-mon.secrets-manager.appdomain.cloud
Sao Paulo https://{instance_ID}.private.br-sao.secrets-manager.appdomain.cloud
Europe
London https://{instance_ID}.private.eu-gb.secrets-manager.appdomain.cloud
Frankfurt https://{instance_ID}.private.eu-de.secrets-manager.appdomain.cloud
Madrid https://{instance_ID}.private.eu-es.secrets-manager.appdomain.cloud
Asia Pacific
Tokyo https://{instance_ID}.private.jp-tok.secrets-manager.appdomain.cloud
Osaka https://{instance_ID}.private.jp-osa.secrets-manager.appdomain.cloud
Sydney https://{instance_ID}.private.au-syd.secrets-manager.appdomain.cloud
Mumbai - Airtel https://{instance_ID}.private.in-mum.secrets-manager.appdomain.cloud
Chennai - Airtel https://{instance_ID}.private.in-che.secrets-manager.appdomain.cloud

Ready to try the APIs? To interact with a Swagger UI from your browser, add api/v2/swagger-ui to your service endpoint URL. For example, https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/swagger-ui.

Viewing your endpoint URLs

You can find your service endpoint URLs in the Endpoints page of the Secrets Manager UI.

The private control plane endpoint is accessible through a VPE gateway. For more information, see Using service endpoints to privately connect to Secrets Manager. If you need to retrieve your service endpoint URLs programmatically, you can also call the following API to retrieve the values that are specific to your Secrets Manager instance.

curl -X GET  
    -H "Accept: application/json" \
    -H "Authorization: Bearer {IAM_token}"
"https://{region}.secrets-manager.cloud.ibm.com/api/v1/instances/{url_encoded_instance_CRN}/endpoints"

Replace the variables in the example request according to the following table.

Required parameters for retrieving service endpoints with the API
Parameter Description
{region} The region abbreviation that represents the geographic area where your Secrets Manager resides. For example, us-south or eu-de.
{url_encoded_instance_CRN} The Cloud Resource Name (CRN) that uniquely identifies your Secrets Manager service instance. The value must be URL encoded.
{IAM_token} Your IBM Cloud IAM access token.

A successful request returns the endpoint URLs that are associated with the region and service instance CRN that you specify. The following JSON snippet shows an example response.

{
    "plan": "standard",
    "public_endpoints": {
        "service_api": "https://927fb8ae-1ddd-4483-a21f-7d3c0fc81234.us-south.secrets-manager.appdomain.cloud/api",
        "vault_api": "https://927fb8ae-1ddd-4483-a21f-7d3c0fc81234.us-south.secrets-manager.appdomain.cloud"
    },
    "private_endpoints": {
        "service_api": "https://927fb8ae-1ddd-4483-a21f-7d3c0fc1234.private.us-south.secrets-manager.appdomain.cloud/api",
        "vault_api": "https://927fb8ae-1ddd-4483-a21f-7d3c0fc81234.private.us-south.secrets-manager.appdomain.cloud"
    },
    "encryption": {
      "provider_managed_encryption": "key_protect",  
      "encryption_key_crn": "crn:v1:staging:public:kms:us-south:a/791f5fb10986423e97aa8512f181234:31639268-42e8-4420-9872-590a6ee21234:key:b4af8f76-e6ea-4dc5-89cc-5f1b9bb1234"
    }
}

Control plane endpoints

Use the following control plane endpoints to call control plane APIs.

Public control plane endpoints for Secrets Manager
Region Endpoint URL
Americas
Dallas https://us-south.secrets-manager.cloud.ibm.com
Washington DC https://us-east.secrets-manager.cloud.ibm.com
Toronto https://ca-tor.secrets-manager.cloud.ibm.com
Montreal https://ca-mon.secrets-manager.cloud.ibm.com
Sao Paulo https://br-sao.secrets-manager.cloud.ibm.com
Europe
London https://eu-gb.secrets-manager.cloud.ibm.com
Frankfurt https://eu-de.secrets-manager.cloud.ibm.com
Madrid https://eu-es.secrets-manager.cloud.ibm.com
Asia Pacific
Tokyo https://jp-tok.secrets-manager.cloud.ibm.com
Osaka https://jp-osa.secrets-manager.cloud.ibm.com
Sydney https://au-syd.secrets-manager.cloud.ibm.com
Mumbai - Airtel https://in-mum.secrets-manager.cloud.ibm.com
Chennai - Airtel https://in-che.secrets-manager.cloud.ibm.com
Private control plane endpoints for Secrets Manager
Region Endpoint URL
Americas
Dallas https://private.us-south.secrets-manager.cloud.ibm.com
Washington DC https://private.us-east.secrets-manager.cloud.ibm.com
Toronto https://private.ca-tor.secrets-manager.cloud.ibm.com
Montreal https://private.ca-mon.secrets-manager.cloud.ibm.com
Sao Paulo https://private.br-sao.secrets-manager.cloud.ibm.com
Europe
London https://private.eu-gb.secrets-manager.cloud.ibm.com
Frankfurt https://private.eu-de.secrets-manager.cloud.ibm.com
Madrid https://private.eu-es.secrets-manager.cloud.ibm.com
Asia Pacific
Tokyo https://private.jp-tok.secrets-manager.cloud.ibm.com
Osaka https://private.jp-osa.secrets-manager.cloud.ibm.com
Sydney https://private.au-syd.secrets-manager.cloud.ibm.com
Mumbai - Airtel https://private.in-mum.secrets-manager.cloud.ibm.com
Chennai - Airtel https://private.in-che.secrets-manager.cloud.ibm.com

The private control plane endpoint is accessible through a VPE gateway. For more information, see Using service endpoints to privately connect to Secrets Manager.

To try this API, you can interact with the following Swagger UI from your browser: https://{region}.secrets-manager.cloud.ibm.com/swagger-ui.

If your instance is configured with the Private only option, this API returns only the private_endpoints object in the response.