Enabling event notifications for Secrets Manager

As an administrator of IBM Cloud® Secrets Manager, you might want to send notifications of events in Secrets Manager to other users, or human destinations, by using email, SMS, or other supported delivery channels. Additionally, you might want to send these notifications of events to other applications to build logic by using event-driven programming using webhooks, for example. This is made possible by the integration between Secrets Manager and IBM Cloud® Event Notifications.

To send information to Event Notifications, you must connect your Secrets Manager service instance to Event Notifications. For more information about working with Event Notifications, see Getting started with Event Notifications.

If you decide to delete your Secrets Manager service instance, also remove Secrets Manager as a source in your Event Notifications service instance.

How events are collected and sent by Secrets Manager

When an event of interest takes place in your Secrets Manager instance, Secrets Manager communicates with a connected Event Notifications instance to forward a notification to a supported destination.

Secrets Manager aggregates a list of your pending notifications by event type, the type of secret, and expiry details if they apply. Every 1 - 2 minutes, the service checks for and dispatches any pending notifications to the connected Event Notifications service. For example, you might receive notifications that are similar to the following messages:

You have 1 arbitrary secret that expires in 1 day.
You have 5 public certificate secrets that expire in 10 days.
You have 100 imported certificate secrets that expire in 30 days.

100 is the maximum number of secrets that you can be notified of in a single event notification.

Events for Secrets Manager

The following table lists the Secrets Manager actions that generate an event.

Depending on the type of secret that you're working with in the service, an event might not be generated by Secrets Manager. For example, you don't receive a notification if a certificate is set to expire in less than 24 hours. For more information, refer to Events by secret type.

Actions that generate event notifications
Event name	Event type	Subtype	Description	Severity level
Secret created	`com.ibm.cloud.secrets-manager.secret_created`		An event is sent when a secret is added to the instance.	`low`
Secret creation failed	`com.ibm.cloud.secrets-manager.secret_creation_failed`		An event is sent when a request to create a secret fails.	`low`
Secret rotated	`com.ibm.cloud.secrets-manager.secret_rotated`		An event is sent when a secret is rotated and a new version becomes available.	`low`
Secret rotation failed	`com.ibm.cloud.secrets-manager.secret_rotation_failed`		An event is sent when a request to rotate a secret fails.	`high`
Secret expires in 90 days	`com.ibm.cloud.secrets-manager.secret_about_to_expire`	`in_90_days`	An event is sent when a secret is 90 days from expiration.	`high`
Secret expires in 60 days	`com.ibm.cloud.secrets-manager.secret_about_to_expire`	`in_60_days`	An event is sent when a secret is 60 days from expiration.	`high`
Secret expires in 30 days	`com.ibm.cloud.secrets-manager.secret_about_to_expire`	`in_30_days`	An event is sent when a secret is 30 days from expiration.	`high`
Secret expires in 10 days	`com.ibm.cloud.secrets-manager.secret_about_to_expire`	`in_10_days`	An event is sent when a secret is 10 days from expiration.	`high`
Secret expires in 1 day	`com.ibm.cloud.secrets-manager.secret_about_to_expire`	`in_1_day`	An event is sent when a secret is 1 day from expiration.	`high`
Secret expires in less than 1 day	`com.ibm.cloud.secrets-manager.secret_about_to_expire`	`in_0_days`	An event is sent when a secret is less than 1 day from expiration.	`high`
Secret expired	`com.ibm.cloud.secrets-manager.secret_expired`		An event is sent when a secret reaches its expiration date and time.	`high`
Secret revoked	`com.ibm.cloud.secrets-manager.secret_revoked`		An event is sent when a version of a secret is revoked before it is scheduled to expire.	`low`
Secret deleted	`com.ibm.cloud.secrets-manager.secret_deleted`		An event is sent when a secret is deleted from a Secrets Manager instance.	`low`
Secret deletion failed	`com.ibm.cloud.secrets-manager.secret_deletion_failed`		An event is sent when a request to delete a secret fails.	`high`
Secret deletion blocked	`com.ibm.cloud.secrets-manager.secret_deletion_blocked`		An event is sent when a secret is unable to be deleted because it is locked.	`low`
Secret revocation blocked	`com.ibm.cloud.secrets-manager.secret_revocation_blocked`		An event is sent when a secret is unable to be revoked because it is locked.	`low`
Secret rotation blocked	`com.ibm.cloud.secrets-manager.secret_rotation_blocked`		An event is sent when a secret is unable to be rotated because it is locked.	`low`
Secret expiration blocked	`com.ibm.cloud.secrets-manager.secret_expiration_blocked`		An event is sent when a secret is unable to expire because it is locked.	`high`
Secret data removed	`com.ibm.cloud.secrets-manager.secret_data_removed`		An event is sent when a secret's data is removed.	`low`
Secret version data deleted	`com.ibm.cloud.secrets-manager.secret_version_data_deleted`		An event is sent when a secret version's data is deleted.	`low`
Test event	`com.ibm.cloud.secrets-manager.test_event`		An event is sent when a test notification is forwarded to Event Notifications.	`low`

secret_about_to_expire events are sent only once, on the specified day. This means that if you specify that a secret is to expire in 10 days, you receive a single notification when the secret has 10 days remaining. You do not receive a notification at any other time, for example, when the secret has 9 days remaining.

Supported secret types

The following table lists the Secrets Manager events that can be generated based on secret types that are supported in the service.

Actions that generate events based on secret type
Event name	Event type	Occurrence	Arbitrary	IAM credentials	Key-value	User credentials	Imported certificates	Private certificates	Public certificates	Service credentials
Secret created	`com.ibm.cloud.secrets-manager.secret_created`	One time
Secret creation failed	`com.ibm.cloud.secrets-manager.secret_creation_failed`	One time
Secret rotated	`com.ibm.cloud.secrets-manager.secret_rotated`	One time
Secret rotation failed	`com.ibm.cloud.secrets-manager.secret_rotation_failed`	One time
Secret about to expire	`com.ibm.cloud.secrets-manager.secret_about_to_expire`	90, 60, 30, 10, 1, 0 days before the secret expires			Not applicable^[1]
Secret expired	`com.ibm.cloud.secrets-manager.secret_expired`	Daily			Not applicable^[2]
Secret revoked	`com.ibm.cloud.secrets-manager.secret_revoked`	One time	Not applicable^[3]	Not applicable^[4]	Not applicable^[5]	Not applicable^[6]	Not applicable^[7]		Not applicable^[8]	Not applicable^[9]
Secret deleted	`com.ibm.cloud.secrets-manager.secret_deleted`	One time
Secret deletion blocked	`com.ibm.cloud.secrets-manager.secret_deletion_blocked`	One time
Secret rotation blocked	`com.ibm.cloud.secrets-manager.secret_rotation_blocked`	One time^[10] Daily ^[11]
Secret revocation blocked	`com.ibm.cloud.secrets-manager.secret_revocation_blocked`	One time	Not applicable^[12]	Not applicable^[13]	Not applicable^[14]	Not applicable^[15]	Not applicable^[16]		Not applicable^[17]	Not applicable^[18]
Secret expiration blocked	`com.ibm.cloud.secrets-manager.secret_expiration_blocked`	One time Daily			Not applicable^[19]		Not applicable^[20]	Not applicable^[21]	Not applicable^[22]
Secret data removed	`com.ibm.cloud.secrets-manager.secret_data_removed`	One time
Secret version data deleted	`com.ibm.cloud.secrets-manager.secret_version_data_deleted`	One time

Enabling notifications

Events that are generated by an instance of the Secrets Manager service can be forwarded to an Event Notifications service instance that is available in the same account. You can configure only one Secrets Manager instance to one Event Notifications service instance. To get started, you need:

Manager service access on the Secrets Manager service.
Manager service access on the Event Notifications service. To view an existing Event Notifications service instance in your account, you also need Viewer platform access or higher.

Connecting to Event Notifications in the UI

Before you can enable notifications for Secrets Manager, be sure that you have an Event Notifications service instance that is in the same account as your Secrets Manager instance. Then, you can use the Settings > Event Notifications section in the Secrets Manager UI to connect the services.

The image shows the Event Notifications screen in the Secrets Manager UI. — Connecting to Event Notifications

In the console, click the Menu icon > Resource list.
From the list of services, select your instance of Secrets Manager.
In the Secrets Manager navigation, click Settings.
In the Event Notifications section, and click Connect.
In the side panel, review the source details for the connection. Optionally, provide a description.
Select the resource group and Event Notifications service instance that you want to connect.

If an IAM authorization between Secrets Manager and Event Notifications doesn't exist in your account, a dialog is displayed. Follow the prompts to grant access between the services.
1. To grant access between Secrets Manager and Event Notifications, click Authorize.
2. In the side panel, select Event Notifications as the target service.
3. From the list of instances, select the Event Notifications service instance that you want to authorize.
4. Select the Event Source Manager role.
5. Click Review.
6. Click Assign.
To confirm the connection, click Connect.

A success message is displayed to indicate that Secrets Manager is now connected to Event Notifications. If you need to disconnect from Event Notifications later, you can use the options menu > Disconnect to remove the Secrets Manager as a source service in the Event Notifications instance.

If you choose to disconnect Event Notifications, do not delete the IAM authorization between Secrets Manager and Event Notifications. Secrets Manager uses the existing authorization to unregister from Event Notifications. If an Event Notifications instance is deleted, any authorizations that exist between the service and the Secrets Manager are also deleted by IAM.

Connecting to Event Notifications with the API

Before you can enable notifications for Secrets Manager, be sure that you have an Event Notifications service instance that is in the same account as your Secrets Manager instance. Then, you can connect to Event Notifications programmatically by calling the Secrets Manager API.

The following example shows a query that you can use to register your Secrets Manager source details with Event Notifications. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.

You can find the event_notifications_instance_crn value in the console by going to the Resource list and clicking the Event Notifications instance row.

curl -X POST 
   --H "Authorization: Bearer {iam_token}" \
   --H "Accept: application/json" \
   --H "Content-Type: application/json" \
   --d'{
      "event_notifications_instance_crn": "crn:v1:bluemix:public:event-notifications:us-south:a/22018f3c34ff4ff193698d15ca316946:578ad1a4-2fd8-4e66-95d5-79a842ba91f8::",
      "event_notifications_source_description": "Optional description of this source in an Event Notifications instance.",
      "event_notifications_source_name": "My Secrets Manager"
   }' \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/notifications/registration"

A successful request returns the CRN value of your connected Event Notifications service instance. For more information about the required and optional request parameters, see the API docs.

Connecting to Event Notifications with Terraform

The following example shows a configuration that you can use to to register your Secrets Manager source details with Event Notifications.

    resource "ibm_sm_en_registration" "en_registration" {
        instance_id = local.instance_id
        region = local.region
        name = "test-root-ca"
        event_notifications_instance_crn = var.en_instance_crn
        event_notifications_source_description = "My event notification source"
        event_notifications_source_name = "my_en_source"
    }

Sending a test event to Event Notifications in the UI

After you enable notifications for Secrets Manager, test your connection to ensure that the events that are generated by Secrets Manager are being forwarded to Event Notifications.

Before you can send a test Secrets Manager events, you must have topics, destinations, and subscriptions created in your Event Notifications instance. Be sure that the Test event event type (com.ibm.cloud.secrets-manager.test_event) is included as a condition in your Event Notifications topic.

In the Secrets Manager UI, click Settings.
In the Event Notifications section, click Send test event.

A success message is displayed to indicate that the test event was forwarded successfully to Event Notifications.

Sending a test event to Event Notifications with the API

After you enable notifications for Secrets Manager, test your connection to ensure that the events that are generated by Secrets Manager are being forwarded to Event Notifications.

Before you can send a test Secrets Manager event, you must have topics, destinations, and subscriptions created in your Event Notifications instance. Be sure that the Test event event type (com.ibm.cloud.secrets-manager.test_event) is included as a condition in your Event Notifications topic.

The following example shows a query that you can use to send a test event from the Secrets Manager to Event Notifications. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.

curl -X GET 
   --H "Authorization: Bearer {iam_token}" \
   "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/notifications/registration/test"

A successful request returns an HTTP 200 OK response to indicate that a test event was forwarded successfully to your connected Event Notifications service instance. For more information, see the API docs.

Delivering notifications to select destinations

After you enable notifications for Secrets Manager, create topics and subscriptions in Event Notifications so that alerts can be forwarded and delivered to your selected destinations.

For a complete list of supported destinations, see the Event Notifications documentation.

Email notifications

You can use the IBM Cloud email service as a delivery channel for Secrets Manager event notifications. Create an Event Notifications subscription between an existing topic and the IBM Cloud email service to forward your alerts to various recipients by email.

An email from IBM Cloud that contains information about a Secrets Manager event resembles the following example:

Subject: Your 2 public certificate secrets expire in 10 days
Body: You have 2 public certificate secrets that expire in 10 days: my-certificate-1, my-certificate-2. You can view and manage your existing secrets by accessing Secrets Manager in the console, or by using the CLI or APIs. For more information, check out the docs.

To receive detailed information about an event notification in your email, select the Add notification payload option when you create an Event Notifications subscription. Your email displays the notification payload details that are associated with the event.

Webhooks

You can configure a webhook destination so that an incoming notification can be consumed programmatically by an app or service. For more information about setting up webhooks, check out the Event Notifications documentation.

Notification payload details

Successful events that are generated by Secrets Manager contain various fields that help you to identify the source and details of an event.

Event notifications from Secrets Manager contain only metadata properties, such as names or identifiers of resources. Sensitive data, for example API keys or passwords, are not included in generated events.

The properties that are sent to Event Notifications vary depending on the event type and type of secret. For example, if an secret_about_to_expire:in_10_days event takes place in an instance for one or more public_cert secrets, Secrets Manager sends a notification payload to Event Notifications that is similar to the following example.

{
   "event_sub_type": "in_10_days",
   "event_type": "secret_about_to_expire",
   "secret_type": "public_cert",
   "secrets": [
      {
         "domains": "domain1.com",
         "event_time": "2022-01-04T00:00:00Z",
         "event_triggered_by": "SecretsManager",
         "secret_expiration": "2022-01-14T00:00:00Z",
         "secret_group_id": "default",
         "secret_id": "crn:v1:bluemix:public:secrets-manager:<region>:a/<account_id>:<instance_id>:secret:<secret_id>",
         "secret_name": "my-certificate-1",
         "serial_number": "1:2:3:4"
      },
      {
         "domains": "domain2.com, domain3.com",
         "event_time": "2022-01-04T00:00:00Z",
         "event_triggered_by": "SecretsManager",
         "secret_expiration": "2022-01-14T00:00:00Z",
         "secret_group_id": "default",
         "secret_id": "crn:v1:bluemix:public:secrets-manager:<region>:a/<account_id>:<instance_id>:secret:<secret_id>",
         "secret_name": "my-certificate-2",
         "serial_number": "1:2:3:4"
      },
   ],
   "source_instance_api_private_url": "https://<instance_id>.private.<region>.secrets-manager.appdomain.cloud/api",
   "source_instance_api_public_url": "https://<instance_id>.<region>.secrets-manager.appdomain.cloud/api",
   "source_instance_crn": "crn:v1:bluemix:public:secrets-manager:<region>:a/<account_id>:<instance_id>::",
   "source_instance_dashboard_url": "https://cloud.ibm.com/services/secrets-manager/crn%3Av1%3Abluemix%3Apublic%3Asecrets-manager%3A<region>%3Aa%2Fa6cc9f5f21f34323a4175c1117638b40%3A<instance_id>%3A%3A",
   "source_service": "SecretsManager"
}

Review following table for more information about event notification properties.

Properties in an event notification payload
Property	Description
`event_sub_type`	The subtype that corresponds with the type of event that triggered a notification.
`event_type`	The type of event that triggered a notification.
`secret_type`	The type of secret that is associated with the event. Possible values include: imported_cert, private_cert, public_cert
`secrets[]`	A list of objects that contain the metadata properties of a secret that is associated with the event. The properties that are listed vary depending on the secret type. Properties that are sent for all secret types include: `event_time`: The date and time the event was generated. `event_triggered_by`: The entity that triggered the event. This can be the Secrets Manager service or an IBM ID. `secret_group_id`: The ID of the secret group. `secret_id`: The ID that uniquely identifies the secret. `secret_name`: The name of the secret. Events for `imported_cert`, `private_cert`, and `public_cert` secrets also contain: `domains`: The domains that are associated with the certificate. `serial_number`: The serial number that is associated with the certificate. Failure events can also contain: `failure_reason`: The reason for the operation failure.
`source_instance_api_private_url`	The private endpoint URL that is assigned to your Secrets Manager service instance.
`source_instance_api_public_url`	The public endpoint URL that is assigned to your Secrets Manager service instance.
`source_instance_crn`	The Cloud Resource Name (CRN) that uniquely identifies your Secrets Manager service instance.
`source_instance_dashboard_url`	The URL to your Secrets Manager service dashboard in the console.
`source_service`	The display name of the service that sent the event notification.

Event is not applicable because there isn't a time-to-live (TTL) limit for this secret type. ↩︎
Event is not applicable because there isn't a time-to-live (TTL) limit for this secret type. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
You receive a notification that informs you that your manual rotation was not successful. ↩︎
When an automatic rotation fails, you are notified daily until it is successful. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because this notification type applies to private certificates only. ↩︎
Event is not applicable because there isn't a time-to-live (TTL) limit for this secret type. ↩︎
Event is not applicable because expiration date cannot be blocked in this secret type. ↩︎
Event is not applicable because expiration date cannot be blocked in this secret type. ↩︎
Event is not applicable because expiration date cannot be blocked in this secret type. ↩︎