Why can't I read a locked IAM credentials secret?

You try to read or access an IAM credentials secret that you manage in IBM Cloud® Secrets Manager, but you get a 412 Precondition Failed response.

You have an IAM credentials secret that you want to regenerate for your application. But when you use the Secrets Manager APIs, SDKs, or CLI to get the secret, you see the following 412 Precondition Failed error:

The requested action can't be completed because the secret version is locked.

A lock on a secret prevents it from being modified or deleted from your instance. IAM credentials are dynamic secretsA unique value, such as a password or an API key, that is created dynamically and leased to an application that requires access to a protected resource. After a dynamic secret reaches the end of its lease, access to the protected resource is revoked and the secret is deleted automatically.. By default, each request to read an IAM credential (for example, a GET request) generates a new service ID API key, deletes the old credentials, and returns the new credentials. Locking the secret overrides this default behavior and returns a 412 Precondition Failed error to indicate that the secret data is locked. A locked IAM credential can't be read, because doing so modifies its secret data.

To regenerate your IAM credentials, you can remove all the locks that are associated with your secret, and try again. To delete locks from the Secrets Manager UI, go to Secrets > secret name > Locks > Delete.