Part 1: Enable notifications for Secrets Manager
This tutorial is part 1 of a 3-part tutorial series that guides you through setting up alerts for your expiring secrets.
By integrating with the IBM Cloud® Event Notifications service, Secrets Manager can notify you in advance when your secrets or certificates are about to expire. You can use webhooks to route the alerts to your preferred destinations, such as GitHub or Slack. For example, consider the following scenario.
- You have a certificate that expires in 10 days.
- Secrets Manager generates and forwards the event to the Event Notifications service.
- Event Notifications routes your notification data to Cloud Functions by using a webhook URL.
- Cloud Functions uses your incoming notification data to create a GitHub issue and post to a Slack channel.
Before you begin
Before you get started, be sure that you have Editor platform access or higher so that you can provision services in your account.
Set up your environment
To work with Secrets Manager and Event Notifications, you need to create instances of both services in your IBM Cloud account.
Already have instances of both services in your account? Verify that you have Manager service access or higher on both services so that you can update settings in your instances.
- Log in to the IBM Cloud console.
- Go to the IBM Cloud catalog.
- Create a Secrets Manager service instance.
- Create an Event Notifications service instance.
Connect your Secrets Manager and Event Notifications instances
Start by connecting your Event Notifications and Secrets Manager instances to enable lifecycle notifications for Secrets Manager. You can use the Settings > Event Notifications section in the Secrets Manager UI to connect the services.
Create a test webhook URL
Now that your services are connected, you can prepare a workflow for your generated notifications.
Before you can forward alerts to GitHub and Slack, you need a delivery channel that can receive and process your incoming notification data. Event Notifications supports delivery to webhooks. With a webhook, you can build simple workflows that help you to receive and process HTTP requests between different sets of APIs. For example, a webhook can receive the contents of a Secrets Manager event notification, which you can then consume programmatically and pass to the GitHub and Slack APIs.
In this tutorial, you use Webhook.site to quickly create a webhook URL that you can use to test your notification flow.
Webhook.site is an open source tool that is not maintained by IBM. For more information about this tool or to troubleshoot any issues, refer to the Webhook.site documentation.
- In a new browser tab, go to Webhook.site.
- Copy your unique URL and keep the browser tab open. You'll use your webhook URL in a later step.
Update your Event Notifications settings
After you connect the services and create a test webhook URL, update your Event Notifications settings so the service can understand how to route any incoming events from Secrets Manager. You'll need to create a topic, destination, and subscription in Event Notifications to make sure that the events that are generated by Secrets Manager are forwarded to your test webhook URL.
-
In the IBM Cloud console, go to your Event Notifications instance.
-
Create a topic that filters for Secrets Manager events.
- From the navigation, click Topics > Create.
- In the Topic details section, provide a name for your topic. For example, Secrets about to expire.
- In the Sources section, select your Secrets Manager service instance.
- From the list of event types, select the Secrets about to expire and Test event event types.
- Click Create.
-
Create a destination so that your alerts can be forwarded to the webhook that you created the previous step.
- From the navigation, click Destinations > Add.
- Provide a name for your destination. For example, Test webhook.
- Select Webhook as the destination type.
- Paste the URL that you copied from Webhook.site.
- From the list of HTTP verbs, select POST.
- Click Add.
-
Create a subscription between the topic and destination.
- From the navigation, click Subscriptions > Create.
- Provide a name for your subscription. For example, test-secrets-webhook.
- Select the topic that you created in the previous step.
- Select the destination that you created in the previous step.
- Click Create.
Test your workflow
Finally, generate a test Secrets Manager event to validate your full workflow. You can use the Settings > Event Notifications section in the Secrets Manager UI to send a test event.
Verify delivery to your webhook URL
In your Webhook.site page, verify that you received the details of your test notification from Secrets Manager. The output of a test notification contains example data and looks similar to the following example.
{
"data": {
"event_type": "test_event",
"secret_type": "test_secret_type",
"secrets": [
{
"event_time": "2022-01-17T00:12:30Z",
"secret_group_id": "default",
"secret_id": "12345678-9012-3456-7890-123456789012",
"secret_name": "test_secret_name"
}
],
"source_instance_api_private_url": "https://<your_instance_id>.private.us-south.secrets-manager.appdomain.cloud/api",
"source_instance_api_public_url": "https://<your_instance_id>.us-south.secrets-manager.appdomain.cloud/api",
"source_instance_crn": "crn:v1:bluemix:public:secrets-manager:us-south:a/<your_account_id>:<your_instance_id>::",
"source_instance_dashboard_url": "https://cloud.ibm.com/services/secrets-manager/crn%3Av1%3Abluemix%3Apublic%3Asecrets-manager%3Aus-south%3Aa%<your_account_id>%3A<your_instance_id>%3A%3A",
"source_service": "SecretsManager"
}
}
For more information about the properties that are sent as part of notification payload, see Notification payload details.
Next steps
Great job! In part 1 of this tutorial series, you learned how to set up Secrets Manager and Event Notifications to route events to a test webhook URL. In part 2, you replace your test webhook with a Cloud Function webhook URL, and more.