IBM Cloud Docs
Secret tasks

Secret tasks

IBM Cloud® Secrets Manager uses secret tasks to trigger and manage the life-cycle of asynchronous secret types. An asynchronous secret type is created in an initial pre-activation state, and a new execution task is automatically created to track the external creation of the secret credentials. Once the external process is completed it updates the secret task with the new credentials and Secrets Manager updates this secret state to become active. You can list secret tasks, get their details and delete them.

The Custom credentials secret type uses secret tasks to trigger the asynchronous execution of credentials providers implemented as IBM Cloud® Code Engine jobs. Each task is mapped to a job run with the task ID set as the job run name.

Tasks have different statuses, types, and record of values associated with them.

Available task statuses
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Status Description
queued The task has been created and is waiting in the queue to start processing. Queued tasks may be cancelled by deleting them.
processing The task is now running. In case of a custom credentials secret type a Code Engine job run has started and the task is waiting for the job to return or for the timeout to elapse. Processing tasks may be cancelled by deleting them.
credentials_created The creation task has been successfully completed. In case of a custom credentials secret type the Code Engine job reporting success to Secrets Manager. Tasks with this status do not accept further updates.
credentials_deleted The deletion task has been successfully completed. In case of a custom credentials secret type the Code Engine job. Tasks with this status do not accept further updates.
failed The task timeout elapsed or the credentials provider updated the task with an error. In case of a custom credentials secret type the Code Engine job has returned to Secrets Manager with an error. Tasks with this status do not accept further updates.
Available task types
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Status Description
create_credentials This type represents a task that creates credentials. Can be triggered as a result of secret creation or a rotation.
delete_credentials This type represents a task that deletes previously created credentials. It can be triggered as a result of deleting the secret, the expiration or deletion a specific version, or by rotation.
Available task record values
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Status Description
secret_creation This task was triggered as a result of the creation of the secret.
manual_secret_rotation This task was triggered as a result of a manual rotation.
automatic_secret_rotation This task was triggered as a result of an automatic (periodic) rotation.
secret_version_expiration This task was triggered as a result of an expiration of a secret version.
secret_version_data_deletion This task was triggered as a result of deleting a secret.

Working with secret tasks from the UI

For a look at the tasks associated with your custom credentials secret, you can access the Tasks menu inside the Action drop down. Here you can see a record of the actions that are associated with your credentials. For example, when a credential was created or deleted, or whether a timeout was associated with a task.

  1. In the Secrets table, click the Actions menu Actions icon to open a list of options for your secret.
  2. To view the secret tasks, click Tasks.

To delete a secret task:

  1. In the Secrets table, click the Actions menu Actions icon to open a list of options for your secret.
  2. Click Tasks to view all tasks.
  3. Tick the checkbox fora task to delete and click on Delete selected.

Working with secret tasks from CLI

Before you begin, follow the CLI docs to set your API endpoint.

To look at the tasks associated with your custom credentials secret by using the Secrets Manager CLI plug-in, run the ibmcloud secrets-manager secret-create command:

ibmcloud secrets-manager secret-tasks --id SECRET_ID

To get the details of a specific task, use the task ID:

ibmcloud secrets-manager secret-task --secret-id SECRET-ID --id TASK_ID

To delete a task:

ibmcloud secrets-manager secret-task-delete --secret-id SECRET-ID --id TASK_ID

Working secret tasks using the API

You can look at your custom credentials secret tasks programmatically by calling the Secrets Manager API. When you call the API, replace the SECRET_ID variables and IAM token with the values that are specific to your Secrets Manager instance:

curl -X POST 
    -H "Authorization: Bearer {IAM_token}" \
    -H "Accept: application/json" \
    -H "Content-Type: application/json" \
  "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/SECRET_ID/tasks" 

To get the details of a specific task, use the task ID:

curl -X POST 
    -H "Authorization: Bearer {IAM_token}" \
    -H "Accept: application/json" \
    -H "Content-Type: application/json" \
  "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/SECRET_ID/tasks/TASK_ID" 

To delete a task:

curl -X PUT 
    -H "Authorization: Bearer {IAM_token}" \
    -H "Accept: application/json" \
    -H "Content-Type: application/json" \
  "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/SECRET_ID/tasks/TASK_ID"