IBM Cloud Docs
Using service endpoints to privately connect to Secrets Manager

Using service endpoints to privately connect to Secrets Manager

To ensure that you have enhanced control and security over your data when you use Secrets Manager, you have the option of using private routes to IBM Cloud® service endpoints. Private routes are not accessible or reachable over the internet. By using the IBM Cloud private service endpoints feature, you can protect your data from threats from the public network and logically extend your private network.

Before you begin

You must first enable virtual routing and forwarding in your account, and then you can enable the use of IBM Cloud private service endpoints. For more information about setting up your account to support the private connectivity option, see Enabling VRF and service endpoints.

Keep in mind the following considerations:

  • You can select a service endpoint option for a Secrets Manager instance only at its creation.
  • The Secrets Manager service UI is not accessible for Private only instances.

Setting up private endpoints for Secrets Manager in the UI

After your account is enabled for VRF and service endpoints, you can provision a Secrets Manager service instance to connect over a private service endpoint.

  1. In the IBM Cloud console, go to the Secrets Manager offering details page.

  2. In the Create tab, select the region where you want provision your instance.

  3. Review and select a pricing plan.

  4. Provide a name for your instance.

  5. Select a resource group.

  6. Determine an option for managing encryption for your instance.

    You can enhance the security of your secrets at rest by integrating with a key management service. For more information about customer-managed encryption, check out Protecting your sensitive data in Secrets Manager.

  7. From the list of endpoint options, select Public and private or Private only.

    By default, Secrets Manager instances accept API requests from both public and private endpoints. To limit access to your instance to take place only through a private network, select the Private only option. Keep in mind that the Secrets Manager service UI is not accessible for Private only instances.

  8. Click Create.

    Provisioning a Secrets Manager instance can take 5 - 15 minutes to complete.

Setting up private endpoints for Secrets Manager from the CLI

After your account is enabled for VRF and service endpoints, you can provision a Secrets Manager service instance to connect over a private service endpoint.

  1. In a terminal window, log in to IBM Cloud.

    ibmcloud login

    If the login fails, run the ibmcloud login --sso command to try again. The --sso parameter is required when you log in with a federated ID. If this option is used, go to the link listed in the CLI output to generate a one-time passcode.

  2. Select the account, region, and resource group where you want to create a Secrets Manager service instance.

    You can use the following command to set your target region and resource group.

    ibmcloud target -r <region_name> -g <resource_group_name>

  3. (Optional) Check whether your account is enabled for VRF and service endpoints.

    ibmcloud account show

    The following CLI output shows the account details of a VRF and service endpoint-enabled account.

    Retrieving account John Doe's Account of john.doe@email.com...
OK

Account ID:                   d154dfbd0bc2edefthyufffc9b5ca318
Currently Targeted Account:   true
Linked Softlayer Account:     1008967
VRF Enabled:                  true
Service Endpoint Enabled:     true

    For more information about enabling VRF and service endpoints in your account, see Enabling VRF and service endpoints.

  4. Create a private Secrets Manager service instance by running the following command.

    ibmcloud resource service-instance-create <instance_name> secrets-manager lite <region> -p '{"allowed_network": "<connectivity-option>"}'
    Table 1. Variable descriptions
    Variable Description
    region The region abbreviation, such as us-south that represents the geographic area where you want your Secrets Manager to be handled and processed. For a complete list of supported regions, see Regions and endpoints.
    connectivity-option The network connectivity option that you want to allow for your instance.

    To allow access to the instance over both public and private service endpoints, use public-and-private. To limit API requests to the instance to take place only through a private network, use private-only. Keep in mind that the Secrets Manager service UI is not accessible for private-only instances.

  5. (Optional) Verify that that the service instance was created successfully.

    ibmcloud resource service-instance <instance_name>

    Provisioning a Secrets Manager instance can take 5 - 15 minutes to complete.

Viewing your endpoint URLs

The service endpoint URLs are different for private and public network connections. You can find your service endpoint URLs in the Endpoints page of the Secrets Manager UI. For more information about retrieving your service endpoint URLs programmatically, see Regions and endpoints.