Release notes for Secrets Manager

You can now create a Secrets Manager service instance in the Madrid (eu-es) region.

For more information, see Regions and endpoints.

An updated version of the Secrets Manager UI is now available and includes the following improvements:

• New flow for adding secrets
• New Secrets Details side panel
• Ability to get a secret engine's configuration value for public_cert, private_cert, and iam_credentials
• Ability to get a secret engine's configuration code snippet for public_cert, private_cert, and iam_credentials
• Ability to get the secret value of the current and previous secret versions
• IAM credentials now display an expiration date in the Secrets table when the reuse apikey is set to true
• Improvements to the IAM Credentials secret engine page:
  • Ability to delete a configuration if all IAM credential secrets are first deleted
  • Look and feel enhancements
  • Visual cue for an invalid configuration that is missing or has a misconfigured API key
• Multi-select up to 5 secrets to download or delete, depending on the secret type

A new version of the Secrets Manager API and SDKs is now available. The following updates are included in this release.

• You no longer need to include secret_type in the API URL to identify a secret.
• The secret group name must be unique per Secrets Manager instance.
• Resources updates are defined as HTTP patch operations.
• The configurations API follows the pattern of the Secrets Manager API. config_type acts as the API discriminator, similarly to secret_type.
• Configurations are modeled as openAPI composites with metadata and data parts, similarly to the Secrets Manager model. Mappings between IAM roles and configurations API follow the same pattern for the Secrets Manager API. For example, an IAM viewer can list configurations to view their metadata.
• List operations return metadata only for secret, secret version, and config resources.
• The action to rotate a secret is now the create a new secret version API: POST/v2/secrets/{id}/versions.
• The action to restore secret version is now the create a new secret version API with the restored_from_version body parameter.
• The action to delete IAM credentials is now the delete a secret version data API: DELETE /v2/secrets/{id}/versions/{version_id}/secret_data.
• Policies API is now embedded into the metadata API in version 2.0.
• The actions to list Secrets and get secret metadata return the versions_total field. The version's content is not included.
• Current and previous secret versions can be referenced by using the current and previous aliases in version APIs.
• The secret lock mode names exclusive and exclusive_delete are replaced by remove_previous and remove_previous_and delete. The modes still perform the same action, only the names changed.
• CLI commands to create secret/group/configuration require JSON input instead of param flags.
• CLI command names for configurations and locks slightly changed.

For more information, check out the API docs.

A new version of the Secrets Manager CLI is now available. For more information about the updates that are included in version 2.0, check out the CLI change log.

As of April 17, 2023, the IBM Cloud® Secrets Manager API v1 has been deprecated in favor of v2. If you're still actively working with the Secrets Manager API v1, please be sure to start your upgrade as soon as possible. On 31 October 2023, support for the Secrets Manager API v1 will be removed.

Manage user and service access to your Secrets Manager resources by using context-based restrictions, based on defined criteria. For more information, see Managing access with context-based restrictions.

As part of the support for CBR, the private service inner IPs were modified. The hostnames were not modified. If needed, you can use DNS lookup to find the exact IPs.

Version 0.1.22 of the Secrets Manager CLI is now available for download. To learn about the latest updates, see the CLI change log.

The documentation for creating secrets and managing versions of a secret is now updated to include custom_metadata and version_custom_metadata fields. To learn more about the latest updates, see Creating secrets and Managing secret versions.

The following notifications for events related to Secret Locks are now available.

• secret_deletion_blocked: Now available for arbitrary secrets, IAM credentials, user credentials, key value, imported certificates, private certificates, and public certificates.
• secret_revocation_blocked: Now available for private certificates.
• secret_rotation_blocked: Now available for arbitrary secrets, IAM credentials, user credentials, key value, imported certificates, private certificates, and public certificates.
• secret_expiration_blocked: Now available for arbitrary secrets, IAM credentials, and user credentials.
• secret_version_data_deleted: Now available for arbitrary secrets, IAM credentials, user credentials, key value, imported certificates, private certificates, and public certificates.

For more information about using Event Notifications to enable lifecycle notifications for your Secrets Manager instance, see Enabling event notifications.

You can now attach locks to secrets to indicate that they're in use by one or more consumers. When a secret is locked, it can't be modified or deleted. For more information, check out the following resources:

• Locking secrets
• Best practices for rotating and locking secrets

Version 0.1.20 of the Secrets Manager CLI is now available for download. To learn about the latest updates, see the CLI change log.

Previously, notifications for Secrets Manager were supported for certificates only. Now, you can be notified when other types of secrets in your instance are expired or soon to expire.

• secret_about_to_expire: Now available for arbitrary secrets, IAM credentials, and user credentials.
• secret_expired: Now available for arbitrary secrets, IAM credentials, and user credentials.

For more information about using Event Notifications to enable lifecycle notifications for your Secrets Manager instance, see Enabling event notifications.

Version 1.1.19 of the Secrets Manager CLI is now available for download. To learn about the latest updates, see the CLI change log.

You can now use Secrets Manager to set up a private certificate authority (CA) that you can use to issue SSL/TLS certificates to your internal applications. By configuring root and intermediate CAs for your instance, you can establish a valid chain of trust for your certificates. To find out more about this release, check out the announcement blog.

• Preparing to create private certificates
• Creating root certificate authorities
• Creating intermediate certificate authorities
• Adding certificate templates
• Creating private certificates

The following Secrets Manager events can now be forwarded to a connected Event Notifications instance.

• secret_deleted: Currently supported for imported certificates, private certificates, and public certificates.
• secret_revoked: Currently supported for private certificates only.

For more information about using Event Notifications to enable lifecycle notifications for your Secrets Manager instance, see Enabling event notifications.

Version 1.1.18 of the Secrets Manager CLI is now available for download. To learn about the latest updates, see the CLI change log.

You can now create an unlimited number of Secrets Manager service instances by choosing the Standard pricing plan. For more information about pricing in Secrets Manager, check out the announcement blog.

If you're an existing Secrets Manager Lite plan user, be sure to upgrade your instance to the Standard plan before 22 May 2022 if you'd like to maintain access. For more information, see the previous release note.

You can now create a Secrets Manager service instance in the Osaka (jp-osa) and Toronto (ca-tor) regions.

For more information, see Regions and endpoints.

Looking for examples that can help you to send Secrets Manager notifications to GitHub or Slack? Check out the new tutorial series that guides you through:

• Enabling Event Notifications for Secrets Manager
• Using Cloud Functions to create a GitHub issue when a secret is about to expire
• Using Cloud functions to sending a notification to Slack

You can now create a Secrets Manager service instance in the Sao Paulo (br-sao) region.

For more information, see Regions and endpoints.

On 23 March 2022, Secrets Manager will introduce Standard and Trial pricing plans. With the introduction of the new plans, the current Lite plan option is deprecated.

Types of plans:

When you provision an instance of the service after the 23 March, you can choose either a Trial or Standard plan.

• Trial: To try out the service, you can provision an instance of the service to access all the features that Secrets Manager offers for a limited time. After the trial period, all functionality is disabled but the instance remains in your account for an additional 30 days, during which you can choose to upgrade your plan. If you choose not to, the instance and its data are automatically removed from your account without any action on your part.

You can have one instance of the service on the trial plan that is provisioned in your account at any time.

• Standard: When you're ready to upgrade, you get unlimited access to all the features that the service offers. The number of instances that your teams can provision is unlimited. With the Standard plan, you are charged per secret and per instance that is provisioned. To view the most current pricing information, see the Secrets Manager UI.

Important dates:

Be sure to keep the following dates in mind:

• 23 March 2022: Instances of Secrets Manager on the Lite plan will be deprecated. As an existing user, you can continue to use the service without interruption, but you should upgrade your instances to the Standard plan as soon as you can after this date.

• 22 May 2022: Instances of Secrets Manager on the Lite plan will be disabled and functionality is removed. However, the instance remains in your account for an additional 30 days, during which you can choose to upgrade your plan.

• 21 June 2022: If you have chosen not to upgrade your plan, the instances of the service and their data will be removed from your account.

Users will have the option to upgrade their service starting 23 March 2022. To ensure that your service functionality is not disrupted, be sure to upgrade to a Standard plan before 22 May 2022.

You can now integrate with the ß[en-short]} service so that you can manage and route all of your Secrets Manager alerts to your preferred destinations.

Currently, Secrets Manager supports notifications for certificates only. For more information, see Enabling event notifications.

With the Secrets Manager UI, you can now check the version history of your secrets so that you can quickly understand when a secret was last rotated. For more information, see Viewing your version history.

In addition to using access groups to determine the access capabilities of an IAM credential, you can now create a secret by using an existing service ID in your account. You can choose this option if you need Secrets Manager to dynamically generate and manage an API key only.

For more information, see Creating IAM credentials.

Need to roll back a secret to its previous version? If you need to revert a secret, you can now restore select secret types to a previous version.

Currently, you can restore 1 version back for IAM credentials and public certificate secrets only. For more information, see Restoring secrets to a previous version.

You can now rotate IAM credentials manually by using the UI or APIs. For more information, see Rotating secrets manually.

In addition to importing your existing certificates, you can now use Secrets Manager to order domain-validated certificates!

In this release, the following certificate authorities (CA) and DNS providers are supported:

• Let's Encrypt
• IBM Cloud Internet Services (CIS)
• IBM Cloud classic infrastructure (SoftLayer)

For more information, see Ordering domain-validated certificates from third-parties or check out the announcement blog.

Ready to try Secrets Manager for certificates management? You can now take advantage of automation scripts that can help you to move certificates from Certificate Manager to Secrets Manager.

For more information, check out the migration scripts in GitHub.

Looking for the ability to centralize TLS certificates into a single secrets management service? You can now use Secrets Manager to import TLS certificates that are issued by external certificate authorities (CA).

For more information, check out Importing TLS certificates.

You can now connect to a Secrets Manager service instance by using Virtual Private Endpoints (VPE) for VPC.

To learn how to connect your existing Secrets Manager instance, see Regions and endpoints. For more information about setting up a virtual private endpoint gateway, check out About virtual private endpoint gateways.

On 29 May 2021, Secrets Manager will deliver changes to the cipher suites that it supports for TLS connections to the service. This update is being implemented to enhance the security of IBM Cloud users and protect user data.

• What's changing? Beginning 29 May 2021, Secrets Manager API endpoints will allow only the following cipher suites:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-RSA-AES256-GCM-SHA384

• How will this change impact my environment? This change impacts clients that are configured to use ciphers that are not included on this list. To avoid connectivity issues with Secrets Manager, make sure that your client is configured to use only the allowed list of ciphers in TLS connections to the service. Reach out to IBM Cloud support with any questions.

You can now configure Secrets Manager to securely manage secrets that are part of your Continuous Delivery toolchain.

For more information, check out the announcement blog.

You can now create a private instance of Secrets Manager so that you can manage application secrets over a private network connection.

For more information, see Securing your connection to Secrets Manager.

By default, IAM credential secrets are generated and deleted each time that the secret is read or accessed. By using the reuse_api_key parameter in the API, or the Reuse IAM credentials option in the UI, you can control whether the associated service ID API key can be reused until the secret expires.

For more information, see Creating IAM credentials.

Secrets Manager is now integrated Log Analysis so that you can diagnose issues and analyze logs that are generated by your Secrets Manager service instance.

For more information, see Viewing logs for Secrets Manager.

Secrets Manager is now available in the London (eu-gb), Tokyo (jp-tok), and Washington DC (us-east) regions.

For more information, see Regions and endpoints.

You can now use the IBM Cloud Secrets Manager Java SDK to connect to your Secrets Manager service instance.

For more information, check out the IBM Cloud Secrets Manager Java SDK repository in GitHub.

You can now use the IBM Cloud Secrets Manager Go and Python SDKs to connect to your Secrets Manager service instance.

For more information, check out the SDK repositories in GitHub:

• IBM Cloud Secrets Manager Go SDK
• IBM Cloud Secrets Manager Python SDK

Secrets Manager is now generally available in the IBM Cloud catalog!

To find out more about this release, check out the announcement blog.

You can now create a Secrets Manager service instance in the Sydney (au-syd) region.

For more information, see Regions and endpoints.

The Secrets Manager CLI plug-in is now available for download!

You can use the Secrets Manager CLI to interact with the secrets that you store in your Secrets Manager instance. To install the plug-in, log in to the IBM Cloud CLI and run ibmcloud plugin install secrets-manager.

• To see CLI usage examples for creating secrets of different types, check out Creating secrets.
• To find out more about the CLI commands and options that are available for Secrets Manager, see the CLI reference.

You can now use the IBM Cloud Secrets Manager Node.js SDK to connect to your Secrets Manager service instance.

For more information, check out the IBM Cloud Secrets Manager Node.js SDK repository in GitHub.

Need to manage IBM Cloud secrets by using an on-premises Vault? You can now integrate stand-alone IBM Cloud plug-ins for Vault. These open source plug-ins can be used independently from each other so that you can manage IBM Cloud secrets through your on-premises Vault server.

• To set up authentication between Vault and your IBM Cloud account, you can use the IBM Cloud Auth Method plug-in for Vault.
• To dynamically create API keys for IBM Cloud service IDs, you can use the IBM Cloud Secrets Backend plug-in for Vault.

For more information, check out the announcement blog

You can now choose between the Reader and SecretsReader IAM roles for better control over access to the payload of your secrets.

• As a reader, you can browse a high-level view of secrets in your instance. Readers can't access the payload of a secret.
• As a secrets reader, you can browse a high-level view of secrets, and you can access the payload of a secret. A secrets reader can't create secrets or modify the value of an existing secret.

To learn more about service access roles, see Managing IAM access for Secrets Manager.

With IBM Cloud Secrets Manager, you can create secrets dynamically and lease them to applications while you control access from a single location. Built on open source HashiCorp Vault, Secrets Manager helps you get the data isolation of a dedicated environment with the benefits of a public cloud.

In this release, Secrets Manager offers support for the following types of secrets:

• IAM credentials, which consist of a service ID and API key that are generated dynamically on your behalf.
• Arbitrary secrets, such as custom credentials that can be used to store any type of structured or unstructured data.
• User credentials, such as usernames and passwords that you can use to log in to applications.

To find out more about capabilities and use cases for Secrets Manager, check out the announcement blog.