IBM Cloud Docs
Using service endpoints to privately connect to Secrets Manager

Using service endpoints to privately connect to Secrets Manager

To ensure that you have enhanced control and security over your data when you use Secrets Manager, you have the option of using private routes to IBM Cloud® service endpoints. Private routes are not accessible or reachable over the internet. By using the IBM Cloud private service endpoints feature, you can protect your data from threats from the public network and logically extend your private network.

Before you begin

You must first enable virtual routing and forwarding in your account, and then you can enable the use of IBM Cloud private service endpoints. For more information about setting up your account to support the private connectivity option, see Enabling VRF and service endpoints.

Keep in mind the following considerations:

  • You can select a service endpoint option for a Secrets Manager instance only at its creation.

Setting up private endpoints for Secrets Manager in the UI

After your account is enabled for VRF and service endpoints, you can provision a Secrets Manager service instance to connect over a private service endpoint.

  1. In the IBM Cloud console, go to the Secrets Manager offering details page.

  2. In the Create tab, select the region where you want provision your instance.

  3. Review and select a pricing plan.

  4. Provide a name for your instance.

  5. Select a resource group.

  6. Determine an option for managing encryption for your instance.

    You can enhance the security of your secrets at rest by integrating with a key management service. For more information about customer-managed encryption, check out Protecting your sensitive data in Secrets Manager.

  7. By default, newly provisioned Secrets Manager instances accept API requests from private-only endpoints

  8. Click Create.

    Provisioning a Secrets Manager instance can take 5 - 15 minutes to complete.

Setting up private endpoints for Secrets Manager from the CLI

After your account is enabled for VRF and service endpoints, you can provision a Secrets Manager service instance to connect over a private service endpoint.

  1. In a terminal window, log in to IBM Cloud.

    ibmcloud login

    If the login fails, run the ibmcloud login --sso command to try again. The --sso parameter is required when you log in with a federated ID. If this option is used, go to the link listed in the CLI output to generate a one-time passcode.

  2. Select the account, region, and resource group where you want to create a Secrets Manager service instance.

    You can use the following command to set your target region and resource group.

    ibmcloud target -r <region_name> -g <resource_group_name>

  3. (Optional) Check whether your account is enabled for VRF and service endpoints.

    ibmcloud account show

    The following CLI output shows the account details of a VRF and service endpoint-enabled account.

    Retrieving account John Doe's Account of john.doe@email.com...
OK

Account ID:                   d154dfbd0bc2edefthyufffc9b5ca318
Currently Targeted Account:   true
Linked Softlayer Account:     1008967
VRF Enabled:                  true
Service Endpoint Enabled:     true

    For more information about enabling VRF and service endpoints in your account, see Enabling VRF and service endpoints.

  4. Create a private Secrets Manager service instance by running the following command.

    ibmcloud resource service-instance-create <instance_name> secrets-manager trial <region> -p '{"allowed_network": "<connectivity-option>"}'
    Variable descriptions
    Variable Description
    region The region abbreviation, such as us-south that represents the geographic area where you want your Secrets Manager to be handled and processed. For a complete list of supported regions, see Regions and endpoints.
    connectivity-option The network connectivity option that you want to allow for your instance.

    To allow access to the instance over both public and private service endpoints, use public-and-private. To limit API requests to the instance to take place only through a private network, use private-only. This is also the default option.

  5. (Optional) Verify that that the service instance was created successfully.

    ibmcloud resource service-instance <instance_name>

    Provisioning a Secrets Manager instance can take 5 - 15 minutes to complete.

Connect to a private-only instance from outside of the IBM Cloud internal network

When using a Secrets Manager instance with a private-only endpoint, connecting to the instance is possible only through the IBM Cloud internal network, using existing service integrations or VMs.
To connect to a private-only instance for example from a local workstation, select one of the following available options.

Connect using a VM

Use this option for Secrets Manager instances provisioned in IBM Cloud Classic data centers, such as Dallas, Washington, Sao Paulo, London, Frankfurt, Madrid, Sydney, Tokyo, and Osaka.

  1. From the IBM Cloud catalog, search for "Virtual Server" and provision a virtual machine matching your requirements
  2. From your local workstation, login to the VM using its generated credentials
  3. From within the VM, login to IBM Cloud and use your Secrets Manager instance via API or CLI

Connect using a VPE gateway

Use of this option is required for Secrets Manager instances provisioned in IBM Cloud Next Generation data centers. It can be used for other regions as well.

  1. Create a VPE gateway
  2. Attach the VPE to a new or existing VPC
  3. Add your Secrets Manager instance to the VPC
  4. Create a VSI in the same VPC and set it up
  5. From your local workstation, login to the VSI
  6. From within the VSI, login to IBM Cloud and use your Secrets Manager instance via API or CLI