IBM Cloud Docs
FAQs for Secrets Manager

FAQs for Secrets Manager

FAQs for IBM Cloud® Secrets Manager might include questions about secrets or credentials. To find all FAQs for IBM Cloud, see the FAQ library.

What is a secret?

A secret is a piece of sensitive information. For example, a secret might be a username and password combination or an API key that you use while you develop your applications. To keep your applications secure, it is important to regulate which secrets can access what and who has access to them.

In addition to the static secrets described, there are other types of secrets that you might work with in the Secrets Manager service. To learn more about secret types, check out Types of secrets.

What is a secret group?

A secret group is a means to organize and control access to the secrets that you store within Secrets Manager. There are several different strategies that you might use to approach secret groups. For more information and recommendations, see Best practices for organizing secrets and assigning access.

What is an IAM credential?

An IAM credential is a type of dynamic secret that you can use to access an IBM Cloud resource that requires IAM authentication. When you create an IAM credential through Secrets Manager, the service creates a service ID and an API key on your behalf. For more information about creating and storing IAM credentials, see Creating IAM credentials.

What happens when I rotate my secret?

When a secret is rotated, a new version of its value becomes available for use. You can choose to manually add a value or automatically generate one at regular intervals by enabling automatic rotation.

For more information about secret rotation, see Rotating secrets.

What happens when my secret expires?

In some secret types such as arbitrary or username_password, you can set the date and time when your secret expires. When the secret reaches its expiration date, it transitions to a Destroyed state. When the transition happens, the value that is associated with the secret is no longer recoverable. The transition to the Destroyed state can take up to a couple of minutes after the secret expires, or a lock that prevented expiration is removed.

For more information about how your information is protected, see Securing your data.

What are differences between the Reader and SecretsReader roles?

Both the Reader and SecretsReader roles help you to assign read-only access to Secrets Manager resources.

  • As a reader, you can browse a high-level view of secrets in your instance. Readers can't access the payload of a secret.
  • As a secrets reader, you can browse a high-level view of secrets, and you can access the payload of a secret. A secrets reader can't create secrets or modify the value of an existing secret.

How is Secrets Manager different from Key Protect?

There are a few key differences between using Key Protect and Secrets Manager to store your sensitive data. Secrets Manager offers flexibility with the types of secrets that you can create and lease to applications and services on-demand. Whereas, Key Protect delivers on encryption keys that are rooted in FIPS 140-2 Level 3 hardware security modules (HSMs)A physical appliance that provides on-demand encryption, key management, and key storage as a managed service..

For more information, see Managing secrets in IBM Cloud.

How is Secrets Manager different from Vault?

With Secrets Manager, you can centrally manage secrets for your services or apps in a dedicated, single tenant instance. To control who on your team has access to specific secrets, you can create secret groups that map to Identity and Access Management (IAM) access policies in your IBM Cloud account. And, you can use IBM Cloud Activity Tracker to track how users and applications interact with your Secrets Manager instance.

Are community plug-ins for Vault supported by Secrets Manager?

Currently, Secrets Manager offers foundational capabilities that don't exist in upstream Vault but are required to support operations for Secrets Manager as a managed service. These capabilities include a set of secrets engines to support secrets of various types in Secrets Manager, and an IBM Cloud Auth method that handles authentication between Vault and your IBM Cloud account.

Secrets Manager will continue to align with upstream Vault capabilities and plug-ins as it extends its support for more secrets engines in coming quarters. Keep in mind that plug-ins or components that are offered by the open source Vault community might not work with Secrets Manager, unless they are written against a secret type that Secrets Manager currently supports.

Can I manage IBM Cloud secrets by using an on-premises Vault?

If you're looking to manage IBM Cloud secrets through the full Vault native experience, you can use the stand-alone IBM Cloud plug-ins for Vault. These open source plug-ins can be used independently from each other so that you can manage IBM Cloud secrets through your on-premises Vault server.

I'm not familiar with Vault. Can I still use Secrets Manager?

Yes. To use Secrets Manager, you don't need to install Vault or the IBM Cloud plug-ins for Vault. You can try Secrets Manager for free, without needing an extensive background on how to use Vault. To get started, choose the type of secret that you want to create. Then, you can integrate with the standard Secrets Manager APIs so that you can access the secret programmatically.

Where can I find information about compliance certifications for Secrets Manager?

To view a complete list of certifications for Secrets Manager, see section 5.4 of the Secrets Manager software product compatibility report.