Managing IAM access for Secrets Manager

Access to IBM Cloud® Secrets Manager service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses the Secrets Manager service in your account must be assigned an access policy with an IAM role. The policy determines which actions a user can perform within the context of Secrets Manager.

IAM access policies enable access to be granted at different levels. Some of the options include the following actions:

Access across all Secrets Manager service instances in your account
Access to an individual Secrets Manager instance in your account
Access to a specific resource within a Secrets Manager instance, such resource type secret-group

IAM roles and actions for Secrets Manager

Review the following platform and service roles that you can use to assign access to Secrets Manager service instances. Each role maps to specific Secrets Manager actions that a user can complete within an account or an individual instance.

If a specific role and its actions don't fit the use case that you're looking to address, you can create a custom role and pick the actions to include.

Table 1. Platform roles - Secrets Manager
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role	Description
Viewer	As a viewer, you can view Secrets Manager service instances, but you can't modify them.
Operator	As an operator, you can complete platform actions that are required to configure and operate Secrets Manager service instances, such as the ability to view a Secrets Manager dashboard.
Editor	As an editor, you can create, modify, and delete Secrets Manager service instances, but you can't assign access policies to other users.
Administrator	As an administrator, you can complete all platform actions for Secrets Manager, including the ability to assign access policies to other users.

Table 1. Service roles - Secrets Manager
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role	Description
Reader	As a reader, you can complete read-only actions within a Secrets Manager service instance, such as the ability to view secrets and secret groups. Readers can access only the metadata that is associated with a secret.
SecretsReader	As a secrets reader, you can complete read-only actions, and you can also access the secret data that is associated with a secret. A secrets reader can't create secrets or modify the value of an existing secret.
Writer	As a writer, you have permissions beyond the secrets reader role, including the ability to create and edit secrets. Writers can't create secret groups, manage the rotation policies of a secret, or configure secrets engines.
Manager	As a manager, you have permissions beyond the writer role to complete privileged actions, such as the ability to manage secret groups, configure secrets engines, and manage secrets policies.

Table 1. Service actions - Secrets Manager
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action	Description	Roles
`secrets-manager.dashboard.view`	View the Secrets Manager dashboard.	Operator, Editor, Administrator
`secrets-manager.secret-group.create`	Create secret groups.	Manager
`secrets-manager.secret-group.update`	Update a secret group.	Manager
`secrets-manager.secret-group.delete`	Delete a secret group.	Manager
`secrets-manager.secret-group.read`	View the details of a secret group.	Reader, SecretsReader, Writer, Manager
`secrets-manager.secret-groups.list`	List the secret groups in your instance.	Reader, SecretsReader, Writer, Manager
`secrets-manager.secret.create`	Create a secret.	Writer, Manager
`secrets-manager.secret.read`	Get the value of a secret.	SecretsReader, Writer, Manager
`secrets-manager.secret.delete`	Delete a secret.	Manager
`secrets-manager.secrets.list`	List the secrets in your instance.	Reader, SecretsReader, Writer, Manager
`secrets-manager.secret-locks.create`	Create secret locks.	Writer, Manager
`secrets-manager.secret-locks.delete`	Delete secret locks.	Manager
`secrets-manager.secrets-locks.list`	List secret locks.	Reader, SecretsReader, Writer, Manager
`secrets-manager.secret-version-locks.create`	Create secret version locks.	Manager, Writer
`secrets-manager.secret-version-locks.list`	List secret version locks.	Manager, Reader, Writer, SecretsReader
`secrets-manager.secret-version-locks.delete`	Delete secret version locks.	Manager
`secrets-manager.secret-metadata.update`	Update the metadata of a secret.	Writer, Manager
`secrets-manager.secret-metadata.read`	View the metadata of a secret.	Reader, SecretsReader, Writer, Manager
`secrets-manager.secret-action.create`	Create a secret action.	Manager, Writer
`secrets-manager.secret-version.create`	Create a new secret version.	Manager, Writer
`secrets-manager.secret-version.read`	View the details of a secret version.	Manager, Writer, SecretsReader
`secrets-manager.secret-version-metadata.read`	View the metadata of a secret version.	Manager, Reader, Writer, SecretsReader
`secrets-manager.secret-version-action.create`	Create a secret version action.	Manager, Writer
`secrets-manager.configuration.create`	Create a new configuration.	Manager
`secrets-manager.configuration-action.create`	Create a new configuration action.	Manager
`secrets-manager.configurations.list`	List configurations.	Manager, Reader, Writer
`secrets-manager.configuration.read`	View the details of a configuration.	Manager
`secrets-manager.configuration.update`	Update a configuration.	Manager
`secrets-manager.configuration.delete`	Delete a configuration.	Manager
`secrets-manager.secret-versions.list`	List secret versions.	Reader, SecretsReader, Writer, Manager
`secrets-manager.endpoints.view`	Get service instance endpoints.	Reader, SecretsReader, Writer, Manager
`secrets-manager.notifications-registration.create`	Create a registration with Event Notifications.	Manager
`secrets-manager.notifications-registration.read`	Get Event Notifications registration details.	Reader, SecretsReader, Writer, Manager
`secrets-manager.notifications-registration.delete`	Delete an Event Notifications registration.	Manager
`secrets-manager.notifications-registration.test`	Send a test event.	Reader, SecretsReader, Writer, Manager

Assigning access to Secrets Manager

You can use the IBM Cloud console, CLI, or APIs to assign different levels of access to Secrets Manager resources in your account. You can assign access at the instance level, or you can narrow access to a secret group that contains one or more secrets. For more information, see Assigning access to Secrets Manager.

To learn about using the IBM Cloud CLI to assign access, check out the IBM Cloud CLI reference. When you create an access policy for Secrets Manager by using the IBM Cloud CLI or APIs, use secrets-manager for the service name in the CLI command or API call.