IBM Cloud Docs
Organizing your secrets

Organizing your secrets

When you work with IBM Cloud® Secrets Manager, you can create groups to organize your secrets and control who on your team has access to them. Then, if you don't need them anymore, you can delete the groups.

Similar to the way that resource groupsThe environment, and constraints, in which contained resource instances adhere to. A user can be associated with a resource group to enable collaboration. help to ensure correct policy enforcement at the platform level, you can create secret groups at the instance level to organize secrets.

The image shows two examples of a secret group and how they're mapped to access groups. One where the reader role is assigned and one where the manager role is assigned. The content is explained fully in the surrounding text.
Assigning access to secret groups

As shown in the previous image, users with Reader access to a secret group can see that the group exists and understand which secrets are assigned to it. Users with Writer access can view and edit the secret group and secrets themselves. By design, the default secret group inherits all of the same permissions that are set for the instance.

You can choose to group your secrets by phase of development, specific to the type of roles that people on your team have, or in any way that might help you. Each secret can be mapped to one group only and the mapping occurs at the time of secret creation.

To learn about the suggested guidelines for using secret groups, check out Best practices for organizing secrets and assigning access.

Before you begin

Before you begin, be sure that you have the required level of access. To create and manage secret groups, you need the Manager service role.

Creating secret groups

You can create secret groups by using the Secrets Manager console or the API.

Creating secret groups in the UI

You can create secret groups by using the console. You can also create a secret group during the process of adding or creating a secret.

  1. In the console, click the Menu icon Menu icon > Resource List.
  2. From the list of services, select your instance of Secrets Manager.
  3. In the navigation, click Secret groups > Create.
  4. Add a name and description to easily identify your group.
  5. Click Create.
  6. Optional: Assign your secret group an IAM policy.

Creating secret groups with the API

You can create secret groups by using the Secrets Manager API.

The following example request creates a secret group. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.

curl -X POST 
  --H "Authorization: Bearer {iam_token}" \
  --H "Accept: application/json" \
  --H "Content-Type: application/json" \
  --d '{
    "name":"my-secret-group",
    "description":"Extended description for this group."
    }' \
  "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secret_groups"

Creating secret groups with Terraform

You can create secret groups by using Terraform for Secrets Manager.

The following example request creates a secret group.

resource "ibm_sm_secret_group" "sm_secret_group_test" {
  instance_id = local.instance_id
  region = local.region
  name = "secret_group_test"
  description = "example secret group"
}

Deleting secret groups

If you no longer need to use a group, you can delete it by using the console or the API.

To delete a secret group, it must be empty. If you need to remove a secret group that contains secrets, you must first delete the secrets that are part of the group.

Deleting secret groups in the UI

You can delete secret groups by using the console.

  1. In the console, click the Menu icon Menu icon > Resource List.
  2. From the list of services, select your instance of Secrets Manager.
  3. In the navigation, click Secret groups.
  4. In the row for the secret group that you want to delete, click the Actions icon Actions icon.
  5. Click Delete group.
  6. Click Delete.

Deleting secret groups with the API

You can delete secret groups by using the Secrets Manager API.

The following example request deletes a secret group. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.

curl -X DELETE 
  --H "Authorization: Bearer {iam_token}" \ 
  "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secret_groups/{id}"

Next steps

Already using secret groups? To learn more about assigning access and organizing your secrets, check out the following resources.