IBM Cloud Docs
What is a secrets engine?

What is a secrets engine?

Secrets enginesA component that serves as a back end for a specific type of secret, such as a password or an API key, within a secrets management service. Depending on its type, a secrets engine can store data, generate secrets on demand, and more. are components in IBM Cloud® Secrets Manager that are used to process operations for secrets of different types.

Learning about engine configurations

In Secrets Manager, a secrets engine serves as the back end for a specific type of secret, such as a password or an API key. Depending on its type, a secrets engine can store data, generate secrets on demand, and more.

Some engines require a configuration before you can enable them for your instance. For example, when you try to order SSL/TLS certificates or create IAM credentials for the first time, a message is displayed to show that an engine configuration is required.

The image shows the secrets selection screen in the Secrets Manager UI.
Figure 1. Example - Engine configuration required

What's in a configuration?

Engine configurations that you add to your instance contain the properties that the service can use to enable operations for a secret type. For example, if you define certificate authority (CA) and DNS provider configurations for your instance, you can use Secrets Manager to order public certificates (public_cert).

Check out the following image to see how a configuration is structured.

This image shows the components of a secrets engine configuration. The information in the image is detailed in the surrounding content.
Figure 1. JSON representation of Secrets Manager engine configuration

  1. The name and type fields hold identifying information about a configuration.

  2. The config object contains the actual configuration details.

    When you use the Secrets Manager API to set the configuration of a secret type, the properties that you add to the config object differ depending on the type of configuration that you are adding. For example, the following truncated example shows how the configuration model is represented for a certificate authority (CA) configuration.

    {
        "name": "my-lets-encrypt-config",
        "type": "letsencrypt",
        "config": {
            "private_key": "-----BEGIN PRIVATE KEY-----\nMIICdgIBADANB...(redacted)"
        }
    }
    

How do I get started?

To get started with secrets, you can go to the Secrets engines page of the Secrets Manager UI, or check out the API reference to learn more about managing secret types programmatically.