Skip to content

Latest commit

 

History

History
415 lines (309 loc) · 21.8 KB

secret-rotate-auto.md

File metadata and controls

415 lines (309 loc) · 21.8 KB
copyright lastupdated keywords subcollection
years
2020, 2024
2024-10-10
automatically rotate, automatic rotation, set rotation policy
secrets-manager

{:codeblock: .codeblock} {:screen: .screen} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:gif: data-image-type='gif'} {:important: .important} {:note: .note} {:pre: .pre} {:tip: .tip} {:preview: .preview} {:deprecated: .deprecated} {:beta: .beta} {:term: .term} {:shortdesc: .shortdesc} {:script: data-hd-video='script'} {:support: data-reuse='support'} {:table: .aria-labeledby="caption"} {:troubleshoot: data-hd-content-type='troubleshoot'} {:help: data-hd-content-type='help'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:video: .video} {:step: data-tutorial-type='step'} {:tutorial: data-hd-content-type='tutorial'} {:api: .ph data-hd-interface='api'} {:cli: .ph data-hd-interface='cli'} {:ui: .ph data-hd-interface='ui'} {:terraform: .ph data-hd-interface="terraform"} {:curl: .ph data-hd-programlang='curl'} {:java: .ph data-hd-programlang='java'} {:ruby: .ph data-hd-programlang='ruby'} {:c#: .ph data-hd-programlang='c#'} {:objectc: .ph data-hd-programlang='Objective C'} {:python: .ph data-hd-programlang='python'} {:javascript: .ph data-hd-programlang='javascript'} {:php: .ph data-hd-programlang='PHP'} {:swift: .ph data-hd-programlang='swift'} {:curl: .ph data-hd-programlang='curl'} {:dotnet-standard: .ph data-hd-programlang='dotnet-standard'} {:go: .ph data-hd-programlang='go'} {:unity: .ph data-hd-programlang='unity'} {:release-note: data-hd-content-type='release-note'}

Automatically rotating secrets

{: #automatic-rotation}

You can schedule automatic rotation for secrets by using {{site.data.keyword.secrets-manager_full}}. {: shortdesc}

When you rotate a secret in your service instance, you create a new version of its value. By scheduling automatic rotation of your secrets at regular intervals, you can reduce the likelihood of compromise and ensure that your credentials never expire.

Automatic rotation is available only for secrets that are generated by {{site.data.keyword.secrets-manager_short}}. If the secret was imported initially, you must provide new secret data to rotate it. For more information, see Manually rotating secrets. {: note}

Before you begin

{: #before-auto-rotate}

Before you get started, be sure that you have the required level of access. To rotate secrets, you need the Writer service role or higher.

Supported secret types

{: #before-auto-rotate-supported-secret-types}

Automatic rotation is supported for private certificates, public certificates, user credentials, and IAM credentials. Depending on the type of secret, automatic rotation takes place immediately on the date and time that you set, or it might need to complete a few additional steps before a new version of the secret can be created.

Type Rotation description
Private certificates The existing certificate value is replaced with new certificate content. The time-to-live (TTL) of the renewed certificate is set according to the certificate template that was selected when the certificate was first created.

After the time-to-live (TTL) or validity period of a private certificate exceeds the validity period of its issuing certificate authority, the certificate can no longer be rotated automatically.

Public certificates Public certificates move to the Active, Rotation pending status to indicate that the request to renew the certificate is being processed. {{site.data.keyword.secrets-manager_short}} uses DNS validation to verify that you own the domains that are listed as part of the certificate. This process can take a few minutes to complete. If the validation completes successfully, a new certificate is issued and its status changes back to Active. If the validation doesn't complete successfully, the status of the certificate changes to Active, Rotation failed.
User credentials The existing password value is replaced with a randomly generated 32-character password that contains uppercase letters, lowercase letters, digits, and symbols. The username value does not change.
IAM credentials The Service ID's API key value is replaced with a new API key. The previous API key remains available for the remaining time in the defined TTL.
Service credentials The Service credential is replaced with a new one. The previous credential remains available for the remaining time in the defined TTL.
{: caption="Describes how {{site.data.keyword.secrets-manager_short}} evaluates manual rotation by secret type" caption-side="top"}

Note that in the case of service credentials created for Databases, if in addition to the credential you are also altering the database permissions for the created credential, these will not be synced once the service credential was rotated. When rotating a Databases service credential, this is considered an identity rotation. {: important}

Scheduling automatic rotation in the UI

{: #schedule-auto-rotate-ui} {: ui}

You can schedule the automatic rotation of secrets by using the {{site.data.keyword.secrets-manager_short}} UI.

Setting an automatic rotation policy for user credentials

{: #schedule-auto-rotate-password-ui}

If you prefer to schedule your passwords to be automatically rotated at regular intervals, you can enable automatic rotation for your user credentials at their creation. You can also enable auto rotation by editing the details of an existing secret.

If you need more control over the rotation frequency of a secret, you can use the {{site.data.keyword.secrets-manager_short}} API to set a custom interval by using day or month units of time. For more information, see the API reference. {: tip}

  1. If you're adding a secret, enable the rotation option.
  2. If you're editing an existing secret, enable automatic rotation by updating its details.
    1. In the Secrets table, view a list of your existing secrets.
    2. In the row for the secret that you want to edit, click the Actions menu Actions icon > Edit details.
    3. Use the Automatic rotation option to enable or disable automatic rotation for the secret.

When you update a secret's rotation settings, you trigger an immediate rotation. {: note}

Setting an automatic rotation policy for public certificates

{: #schedule-auto-rotate-public-cert-ui} {: ui}

If you prefer to schedule your public SSL/TLS certificates to be automatically renewed, you can enable automatic rotation for certificates when you order them. You can also enable auto rotation by editing the details of an existing certificate. In the certificate's next rotation cycle, {{site.data.keyword.secrets-manager_short}} begins attempting to reorder the certificate 31 days before its expiry date. The service continues to attempt to renew the certificate daily until it is successful.

  1. If you're ordering a public certificate, enable the rotation options.

    1. To rotate the certificate automatically, switch the rotation toggle to On. Your certificate is automatically reordered 31 days before its expiration date.
    2. To request a new private key for the certificate on each rotation, switch the rekey toggle to On.
  2. If you're editing an existing public certificate, schedule automatic rotation by updating its details.

    1. In the Secrets table, view a list of your existing Public certificates.
    2. In the row for the certificate that you want to edit, click the Actions menu Actions icon > Edit details.
    3. Use the Automatic rotation option to add or remove a rotation policy for the secret.

Setting an automatic rotation policy for private certificates

{: #schedule-auto-rotate-private-cert-ui}

If you prefer to schedule your private SSL or TLS certificates to be automatically renewed, you can enable automatic rotation for certificates when you create them, or by editing the details of an existing certificate. The certificate must

  1. If you're creating private certificates, enable the rotation options.

    1. To rotate the certificate automatically, switch the rotation toggle to On.

    2. Select an interval and unit that specifies the number of days between scheduled rotations.

      Depending on the certificate template that is associated with your private certificate, some restrictions on the rotation interval for the certificate might apply. For example, the rotation interval can't exceed the time-to-live (TTL) that is defined in the template. For more information, see Certificate templates. {: note}

  2. If you're editing an existing private certificate, schedule automatic rotation by updating its details.

    1. In the Secrets table, view a list of your existing Private certificates.
    2. In the row for the certificate that you want to edit, click the Actions menu Actions icon > Edit details.
    3. Use the Automatic rotation option to add or remove a rotation policy for the secret.

Setting an automatic rotation policy for IAM credentials

{: #schedule-auto-rotate-iam-credentials-ui} {: ui}

If you prefer to schedule your API key to be automatically rotated at regular intervals, you can enable automatic rotation for your IAM credentials at their creation. You can also enable auto rotation by editing the details of an existing secret. Choose between a 30, 60, or 90-day rotation interval.

If you need more control over the rotation frequency of a secret, you can use the {{site.data.keyword.secrets-manager_short}} API to set a custom interval by using day or month units of time. For more information, see the API reference. {: tip}

  1. If you're adding a secret, enable the rotation option by selecting a 30, 60, or 90-day rotation interval.
  2. If you're editing an existing secret, enable automatic rotation by updating its details.
    1. In the Secrets table, view a list of your existing secrets.
    2. In the row for the secret that you want to edit, click the Actions menu Actions icon > Edit details.
    3. Use the Automatic rotation option to enable or disable automatic rotation for the secret.

Rotation is available only for IAM credentials where the reuse key is set to true. The defined rotation interval cannot be higher than the defined time-to-live (TTL). You can set the TTL for secrets by using minute units of time but rotation is not available for those secrets. {: note}

Setting an automatic rotation policy for Service credentials

{: #schedule-auto-rotate-service-credentials-ui} {: ui}

If you prefer to schedule your service credential to be automatically rotated at regular intervals, you can enable automatic rotation for your Service credentials at their creation. You can also enable auto rotation by editing the details of an existing secret. Choose between a 30, 60, or 90-day rotation interval.

If you need more control over the rotation frequency of a secret, you can use the {{site.data.keyword.secrets-manager_short}} API to set a custom interval by using day or month units of time. For more information, see the API reference. {: tip}

  1. If you're adding a secret, enable the rotation option by selecting a 30, 60, or 90-day rotation interval.
  2. If you're editing an existing secret, enable automatic rotation by updating its details.
    1. In the Secrets table, view a list of your existing secrets.
    2. In the row for the secret that you want to edit, click the Actions menu Actions icon > Edit details.
    3. Use the Automatic rotation option to enable or disable automatic rotation for the secret.

Scheduling automatic rotation from the CLI

{: #schedule-auto-rotate-cli} {: cli}

You can schedule the automatic rotation of secrets by using the {{site.data.keyword.secrets-manager_short}} CLI plug-in.

Setting an automatic rotation policy for user credentials

{: #schedule-auto-rotate-password-cli} {: cli}

Schedule the automatic rotation for user credentials by using the ibmcloud secrets-manager secret-metadata-update.

ibmcloud secrets-manager secret-metadata-update \
    --id=SECRET_ID \
    --rotation='{"auto_rotate": true,"interval": 30,"unit": "day"}'

{: pre}

To remove a policy, keep the resources block empty. {: note}

Setting an automatic rotation policy for public certificates

{: #schedule-auto-rotate-public-cert-cli} {: cli}

Schedule the automatic rotation for public certificates by using the ibmcloud secrets-manager secret-metadata-update.

ibmcloud secrets-manager secret-metadata-update \
    --id=SECRET_ID \
    --rotation='{"auto_rotate": true, "rotate_keys": true}'

{: pre}

Setting an automatic rotation policy for private certificates

{: #schedule-auto-rotate-private-cert-cli} {: cli}

Schedule the automatic rotation for private certificates by using the ibmcloud secrets-manager secret-metadata-update.

ibmcloud secrets-manager secret-metadata-update \
    --id=SECRET_ID \
    --rotation='{"auto_rotate": true,"interval": 30,"unit": "day"}'

{: pre}

Setting an automatic rotation policy for IAM credentials

{: #schedule-auto-rotate-iam-credentials-cli} {: cli}

Schedule the automatic rotation for IAM credentials by using the ibmcloud secrets-manager secret-metadata-update.

ibmcloud secrets-manager secret-metadata-update \
    --id=SECRET_ID \
    --rotation='{"auto_rotate": true,"interval": 30,"unit": "day"}'

{: pre}

To remove a policy, keep the resources block empty. {: note}

Setting an automatic rotation policy for Service credentials

{: #schedule-auto-rotate-service-credentials-cli} {: cli}

Schedule the automatic rotation for service credentials by using the ibmcloud secrets-manager secret-metadata-update.

ibmcloud secrets-manager secret-metadata-update \
    --id=SECRET_ID \
    --rotation='{"auto_rotate": true,"interval": 30,"unit": "day"}'

{: pre}

To remove a policy, keep the resources block empty. {: note}

Scheduling automatic rotation with the API

{: #schedule-auto-rotate-api} {: api}

You can schedule the automatic rotation of secrets by using the {{site.data.keyword.secrets-manager_short}} API.

Setting an automatic rotation policy for user credentials

{: #schedule-auto-rotate-password-api} {: api}

The following example request creates an automatic rotation policy for a user credentials (username_password) secret. When you call the API, replace the ID variables and IAM token with the values that are specific to your {{site.data.keyword.secrets-manager_short}} instance. {: curl}

curl -X PATCH 
   -H "Authorization: Bearer {iam_token}" \
   -H "Accept: application/json" \
   -H 'Content-Type: application/merge-patch+json' \
   -d '{
            "rotation": {
               "auto_rotate": true,
               "interval": 1, 
               "unit": "month"
            } 
         }' \ 
      "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/{id}/metadata"

{: codeblock} {: curl}

A successful response returns the ID value for the secret, along with other metadata. For more information about the required and optional request parameters, see the API reference.

To remove a policy, keep the resources block empty. {: note}

Setting an automatic rotation policy for public certificates

{: #schedule-auto-rotate-public-cert-api} {: api}

If you prefer to schedule your certificates to be automatically renewed, you can enable automatic rotation for certificates when you order them, or by editing the details of an existing certificate. In the certificate's next rotation cycle, {{site.data.keyword.secrets-manager_short}} reorders the certificate 31 days before its expiry date.

Ordering a public certificate that renews automatically

{: #order-auto-rotate-public-cert-api} {: api}

The following example request orders a certificate with automatic rotation enabled. When you call the API, set the auto_rotate property to true. Optionally, you can set rotate_keys to true to request a new private key for the certificate on each rotation. {: curl}

curl -X POST 
   -H "Authorization: Bearer {iam_token}" \
   -H "Accept: application/json" \
   -H "Content-Type: application/json" \
   -d '{
         "custom_metadata": {
            "metadata_custom_key": "metadata_custom_value"
         },
         "rotation": {
            "auto_rotate": true,
            "rotate_keys": true
         },
         "version_custom_metadata": {
            "custom_version_key": "custom_version_value"
         }
      }' \ 
   "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets"

{: codeblock} {: curl}

A successful response returns the ID value for the certificate, along with other metadata. For more information about the required and optional request parameters, check out the API reference.

Setting an automatic rotation policy for IAM credentials

{: #schedule-auto-rotate-iam-credentials-api} {: api}

The following example request creates an automatic rotation policy for a IAM credentials (iam_credentials) secret. When you call the API, replace the ID variables and IAM token with the values that are specific to your {{site.data.keyword.secrets-manager_short}} instance. {: curl}

curl -X PATCH 
   -H "Authorization: Bearer {iam_token}" \
   -H "Accept: application/json" \
   -H 'Content-Type: application/merge-patch+json' \
   -d '{
          "rotation": {
            "auto_rotate": true,
            "interval": 30,
            "unit": "day"
          } 
         }' \ 
      "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/{id}/metadata"

{: codeblock} {: curl}

To remove a policy, keep the resources block empty. {: note}

A successful response returns the ID value for the secret, along with other metadata. For more information about the required and optional request parameters, see the API reference.

The defined rotation interval cannot be higher than the defined time-to-live. Rotation is available only for IAM credentials where the Re-use key is set to true. You can set the TTL for secrets by using minute units of time but rotation is not available for those secrets. {: note}

Setting an automatic rotation policy for Service credentials

{: #schedule-auto-rotate-service-credentials-api} {: api}

The following example request creates an automatic rotation policy for a Service credential (service_credentials) secret. When you call the API, replace the ID variables and IAM token with the values that are specific to your {{site.data.keyword.secrets-manager_short}} instance. {: curl}

curl -X PATCH 
   -H "Authorization: Bearer {iam_token}" \
   -H "Accept: application/json" \
   -H 'Content-Type: application/merge-patch+json' \
   -d '{
          "rotation": {
            "auto_rotate": true,
            "interval": 30,
            "unit": "day"
          } 
         }' \ 
      "https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/{id}/metadata"

{: codeblock} {: curl}

To remove a policy, keep the resources block empty. {: note}

A successful response returns the ID value for the secret, along with other metadata. For more information about the required and optional request parameters, see the API reference.

The defined rotation interval cannot be higher than the defined time-to-live. {: note}