Secret tasks
IBM Cloud® Secrets Manager uses secret tasks to trigger and manage the life-cycle of asynchronous secret types. An asynchronous secret type is created in an initial pre-activation
state, and a new execution task is automatically created
to track the external creation of the secret credentials. Once the external process is completed it updates the secret task with the new credentials and Secrets Manager updates this secret state to become active
. You can list secret
tasks, get their details and delete them.
The Custom credentials secret type uses secret tasks to trigger the asynchronous execution of credentials providers implemented as IBM Cloud® Code Engine jobs. Each task is mapped to a job run with the task ID set as the job run name.
Tasks have different statuses, types, and record of values associated with them.
Status | Description |
---|---|
queued |
The task has been created and is waiting in the queue to start processing. Queued tasks may be cancelled by deleting them. |
processing |
The task is now running. In case of a custom credentials secret type a Code Engine job run has started and the task is waiting for the job to return or for the timeout to elapse. Processing tasks may be cancelled by deleting them. |
credentials_created |
The creation task has been successfully completed. In case of a custom credentials secret type the Code Engine job reporting success to Secrets Manager. Tasks with this status do not accept further updates. |
credentials_deleted |
The deletion task has been successfully completed. In case of a custom credentials secret type the Code Engine job. Tasks with this status do not accept further updates. |
failed |
The task timeout elapsed or the credentials provider updated the task with an error. In case of a custom credentials secret type the Code Engine job has returned to Secrets Manager with an error. Tasks with this status do not accept further updates. |
Status | Description |
---|---|
create_credentials |
This type represents a task that creates credentials. Can be triggered as a result of secret creation or a rotation. |
delete_credentials |
This type represents a task that deletes previously created credentials. It can be triggered as a result of deleting the secret, the expiration or deletion a specific version, or by rotation. |
Status | Description |
---|---|
secret_creation |
This task was triggered as a result of the creation of the secret. |
manual_secret_rotation |
This task was triggered as a result of a manual rotation. |
automatic_secret_rotation |
This task was triggered as a result of an automatic (periodic) rotation. |
secret_version_expiration |
This task was triggered as a result of an expiration of a secret version. |
secret_version_data_deletion |
This task was triggered as a result of deleting a secret. |
Working with secret tasks from the UI
For a look at the tasks associated with your custom credentials secret, you can access the Tasks menu inside the Action drop down. Here you can see a record of the actions that are associated with your credentials. For example, when a credential was created or deleted, or whether a timeout was associated with a task.
- In the Secrets table, click the Actions menu
to open a list of options for your secret.
- To view the secret tasks, click Tasks.
To delete a secret task:
- In the Secrets table, click the Actions menu
to open a list of options for your secret.
- Click Tasks to view all tasks.
- Tick the checkbox fora task to delete and click on Delete selected.
Working with secret tasks from CLI
Before you begin, follow the CLI docs to set your API endpoint.
To look at the tasks associated with your custom credentials secret by using the Secrets Manager CLI plug-in, run the ibmcloud secrets-manager secret-create
command:
ibmcloud secrets-manager secret-tasks --id SECRET_ID
To get the details of a specific task, use the task ID:
ibmcloud secrets-manager secret-task --secret-id SECRET-ID --id TASK_ID
To delete a task:
ibmcloud secrets-manager secret-task-delete --secret-id SECRET-ID --id TASK_ID
Working secret tasks using the API
You can look at your custom credentials secret tasks programmatically by calling the Secrets Manager API. When you call the API, replace the SECRET_ID variables and IAM token with the values that are specific to your Secrets Manager instance:
curl -X POST
-H "Authorization: Bearer {IAM_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/SECRET_ID/tasks"
To get the details of a specific task, use the task ID:
curl -X POST
-H "Authorization: Bearer {IAM_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/SECRET_ID/tasks/TASK_ID"
To delete a task:
curl -X PUT
-H "Authorization: Bearer {IAM_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/SECRET_ID/tasks/TASK_ID"