copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2024-10-10 |
automatically rotate, automatic rotation, set rotation policy |
secrets-manager |
{:codeblock: .codeblock} {:screen: .screen} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:gif: data-image-type='gif'} {:important: .important} {:note: .note} {:pre: .pre} {:tip: .tip} {:preview: .preview} {:deprecated: .deprecated} {:beta: .beta} {:term: .term} {:shortdesc: .shortdesc} {:script: data-hd-video='script'} {:support: data-reuse='support'} {:table: .aria-labeledby="caption"} {:troubleshoot: data-hd-content-type='troubleshoot'} {:help: data-hd-content-type='help'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:video: .video} {:step: data-tutorial-type='step'} {:tutorial: data-hd-content-type='tutorial'} {:api: .ph data-hd-interface='api'} {:cli: .ph data-hd-interface='cli'} {:ui: .ph data-hd-interface='ui'} {:terraform: .ph data-hd-interface="terraform"} {:curl: .ph data-hd-programlang='curl'} {:java: .ph data-hd-programlang='java'} {:ruby: .ph data-hd-programlang='ruby'} {:c#: .ph data-hd-programlang='c#'} {:objectc: .ph data-hd-programlang='Objective C'} {:python: .ph data-hd-programlang='python'} {:javascript: .ph data-hd-programlang='javascript'} {:php: .ph data-hd-programlang='PHP'} {:swift: .ph data-hd-programlang='swift'} {:curl: .ph data-hd-programlang='curl'} {:dotnet-standard: .ph data-hd-programlang='dotnet-standard'} {:go: .ph data-hd-programlang='go'} {:unity: .ph data-hd-programlang='unity'} {:release-note: data-hd-content-type='release-note'}
{: #automatic-rotation}
You can schedule automatic rotation for secrets by using {{site.data.keyword.secrets-manager_full}}. {: shortdesc}
When you rotate a secret in your service instance, you create a new version of its value. By scheduling automatic rotation of your secrets at regular intervals, you can reduce the likelihood of compromise and ensure that your credentials never expire.
Automatic rotation is available only for secrets that are generated by {{site.data.keyword.secrets-manager_short}}. If the secret was imported initially, you must provide new secret data to rotate it. For more information, see Manually rotating secrets. {: note}
{: #before-auto-rotate}
Before you get started, be sure that you have the required level of access. To rotate secrets, you need the Writer service role or higher.
{: #before-auto-rotate-supported-secret-types}
Automatic rotation is supported for private certificates, public certificates, user credentials, and IAM credentials. Depending on the type of secret, automatic rotation takes place immediately on the date and time that you set, or it might need to complete a few additional steps before a new version of the secret can be created.
Type | Rotation description |
---|---|
Private certificates | The existing certificate value is replaced with new certificate content. The time-to-live (TTL) of the renewed certificate is set according to the certificate template that was selected when the certificate was first created. After the time-to-live (TTL) or validity period of a private certificate exceeds the validity period of its issuing certificate authority, the certificate can no longer be rotated automatically. |
Public certificates | Public certificates move to the Active, Rotation pending status to indicate that the request to renew the certificate is being processed. {{site.data.keyword.secrets-manager_short}} uses DNS validation to verify that you own the domains that are listed as part of the certificate. This process can take a few minutes to complete. If the validation completes successfully, a new certificate is issued and its status changes back to Active. If the validation doesn't complete successfully, the status of the certificate changes to Active, Rotation failed. |
User credentials | The existing password value is replaced with a randomly generated 32-character password that contains uppercase letters, lowercase letters, digits, and symbols. The username value does not change. |
IAM credentials | The Service ID's API key value is replaced with a new API key. The previous API key remains available for the remaining time in the defined TTL. |
Service credentials | The Service credential is replaced with a new one. The previous credential remains available for the remaining time in the defined TTL. |
{: caption="Describes how {{site.data.keyword.secrets-manager_short}} evaluates manual rotation by secret type" caption-side="top"} |
Note that in the case of service credentials created for Databases, if in addition to the credential you are also altering the database permissions for the created credential, these will not be synced once the service credential was rotated. When rotating a Databases service credential, this is considered an identity rotation. {: important}
{: #schedule-auto-rotate-ui} {: ui}
You can schedule the automatic rotation of secrets by using the {{site.data.keyword.secrets-manager_short}} UI.
{: #schedule-auto-rotate-password-ui}
If you prefer to schedule your passwords to be automatically rotated at regular intervals, you can enable automatic rotation for your user credentials at their creation. You can also enable auto rotation by editing the details of an existing secret.
If you need more control over the rotation frequency of a secret, you can use the {{site.data.keyword.secrets-manager_short}} API to set a custom interval by using day
or month
units of time. For more information, see the API reference.
{: tip}
- If you're adding a secret, enable the rotation option.
- If you're editing an existing secret, enable automatic rotation by updating its details.
When you update a secret's rotation settings, you trigger an immediate rotation. {: note}
{: #schedule-auto-rotate-public-cert-ui} {: ui}
If you prefer to schedule your public SSL/TLS certificates to be automatically renewed, you can enable automatic rotation for certificates when you order them. You can also enable auto rotation by editing the details of an existing certificate. In the certificate's next rotation cycle, {{site.data.keyword.secrets-manager_short}} begins attempting to reorder the certificate 31 days before its expiry date. The service continues to attempt to renew the certificate daily until it is successful.
-
If you're ordering a public certificate, enable the rotation options.
- To rotate the certificate automatically, switch the rotation toggle to On. Your certificate is automatically reordered 31 days before its expiration date.
- To request a new private key for the certificate on each rotation, switch the rekey toggle to On.
-
If you're editing an existing public certificate, schedule automatic rotation by updating its details.
{: #schedule-auto-rotate-private-cert-ui}
If you prefer to schedule your private SSL or TLS certificates to be automatically renewed, you can enable automatic rotation for certificates when you create them, or by editing the details of an existing certificate. The certificate must
-
If you're creating private certificates, enable the rotation options.
-
To rotate the certificate automatically, switch the rotation toggle to On.
-
Select an interval and unit that specifies the number of days between scheduled rotations.
Depending on the certificate template that is associated with your private certificate, some restrictions on the rotation interval for the certificate might apply. For example, the rotation interval can't exceed the time-to-live (TTL) that is defined in the template. For more information, see Certificate templates. {: note}
-
-
If you're editing an existing private certificate, schedule automatic rotation by updating its details.
{: #schedule-auto-rotate-iam-credentials-ui} {: ui}
If you prefer to schedule your API key to be automatically rotated at regular intervals, you can enable automatic rotation for your IAM credentials at their creation. You can also enable auto rotation by editing the details of an existing secret. Choose between a 30, 60, or 90-day rotation interval.
If you need more control over the rotation frequency of a secret, you can use the {{site.data.keyword.secrets-manager_short}} API to set a custom interval by using day
or month
units of time. For more information, see the API reference.
{: tip}
- If you're adding a secret, enable the rotation option by selecting a 30, 60, or 90-day rotation interval.
- If you're editing an existing secret, enable automatic rotation by updating its details.
Rotation is available only for IAM credentials where the reuse key is set to true
. The defined rotation interval cannot be higher than the defined time-to-live (TTL). You can set the TTL for secrets by using minute
units of time but rotation is not available for those secrets.
{: note}
{: #schedule-auto-rotate-service-credentials-ui} {: ui}
If you prefer to schedule your service credential to be automatically rotated at regular intervals, you can enable automatic rotation for your Service credentials at their creation. You can also enable auto rotation by editing the details of an existing secret. Choose between a 30, 60, or 90-day rotation interval.
If you need more control over the rotation frequency of a secret, you can use the {{site.data.keyword.secrets-manager_short}} API to set a custom interval by using day
or month
units of time. For more information, see the API reference.
{: tip}
- If you're adding a secret, enable the rotation option by selecting a 30, 60, or 90-day rotation interval.
- If you're editing an existing secret, enable automatic rotation by updating its details.
{: #schedule-auto-rotate-cli} {: cli}
You can schedule the automatic rotation of secrets by using the {{site.data.keyword.secrets-manager_short}} CLI plug-in.
{: #schedule-auto-rotate-password-cli} {: cli}
Schedule the automatic rotation for user credentials by using the ibmcloud secrets-manager secret-metadata-update
.
ibmcloud secrets-manager secret-metadata-update \
--id=SECRET_ID \
--rotation='{"auto_rotate": true,"interval": 30,"unit": "day"}'
{: pre}
To remove a policy, keep the resources block empty. {: note}
{: #schedule-auto-rotate-public-cert-cli} {: cli}
Schedule the automatic rotation for public certificates by using the ibmcloud secrets-manager secret-metadata-update
.
ibmcloud secrets-manager secret-metadata-update \
--id=SECRET_ID \
--rotation='{"auto_rotate": true, "rotate_keys": true}'
{: pre}
{: #schedule-auto-rotate-private-cert-cli} {: cli}
Schedule the automatic rotation for private certificates by using the ibmcloud secrets-manager secret-metadata-update
.
ibmcloud secrets-manager secret-metadata-update \
--id=SECRET_ID \
--rotation='{"auto_rotate": true,"interval": 30,"unit": "day"}'
{: pre}
{: #schedule-auto-rotate-iam-credentials-cli} {: cli}
Schedule the automatic rotation for IAM credentials by using the ibmcloud secrets-manager secret-metadata-update
.
ibmcloud secrets-manager secret-metadata-update \
--id=SECRET_ID \
--rotation='{"auto_rotate": true,"interval": 30,"unit": "day"}'
{: pre}
To remove a policy, keep the resources block empty. {: note}
{: #schedule-auto-rotate-service-credentials-cli} {: cli}
Schedule the automatic rotation for service credentials by using the ibmcloud secrets-manager secret-metadata-update
.
ibmcloud secrets-manager secret-metadata-update \
--id=SECRET_ID \
--rotation='{"auto_rotate": true,"interval": 30,"unit": "day"}'
{: pre}
To remove a policy, keep the resources block empty. {: note}
{: #schedule-auto-rotate-api} {: api}
You can schedule the automatic rotation of secrets by using the {{site.data.keyword.secrets-manager_short}} API.
{: #schedule-auto-rotate-password-api} {: api}
The following example request creates an automatic rotation policy for a user credentials (username_password
) secret. When you call the API, replace the ID variables and IAM token with the values that are specific to your {{site.data.keyword.secrets-manager_short}} instance.
{: curl}
curl -X PATCH
-H "Authorization: Bearer {iam_token}" \
-H "Accept: application/json" \
-H 'Content-Type: application/merge-patch+json' \
-d '{
"rotation": {
"auto_rotate": true,
"interval": 1,
"unit": "month"
}
}' \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/{id}/metadata"
{: codeblock} {: curl}
A successful response returns the ID value for the secret, along with other metadata. For more information about the required and optional request parameters, see the API reference.
To remove a policy, keep the resources block empty. {: note}
{: #schedule-auto-rotate-public-cert-api} {: api}
If you prefer to schedule your certificates to be automatically renewed, you can enable automatic rotation for certificates when you order them, or by editing the details of an existing certificate. In the certificate's next rotation cycle, {{site.data.keyword.secrets-manager_short}} reorders the certificate 31 days before its expiry date.
{: #order-auto-rotate-public-cert-api} {: api}
The following example request orders a certificate with automatic rotation enabled. When you call the API, set the auto_rotate
property to true
. Optionally, you can set rotate_keys
to true
to request a new private key for the certificate on each rotation.
{: curl}
curl -X POST
-H "Authorization: Bearer {iam_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"custom_metadata": {
"metadata_custom_key": "metadata_custom_value"
},
"rotation": {
"auto_rotate": true,
"rotate_keys": true
},
"version_custom_metadata": {
"custom_version_key": "custom_version_value"
}
}' \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets"
{: codeblock} {: curl}
A successful response returns the ID value for the certificate, along with other metadata. For more information about the required and optional request parameters, check out the API reference.
{: #schedule-auto-rotate-iam-credentials-api} {: api}
The following example request creates an automatic rotation policy for a IAM credentials (iam_credentials
) secret. When you call the API, replace the ID variables and IAM token with the values that are specific to your {{site.data.keyword.secrets-manager_short}} instance.
{: curl}
curl -X PATCH
-H "Authorization: Bearer {iam_token}" \
-H "Accept: application/json" \
-H 'Content-Type: application/merge-patch+json' \
-d '{
"rotation": {
"auto_rotate": true,
"interval": 30,
"unit": "day"
}
}' \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/{id}/metadata"
{: codeblock} {: curl}
To remove a policy, keep the resources block empty. {: note}
A successful response returns the ID value for the secret, along with other metadata. For more information about the required and optional request parameters, see the API reference.
The defined rotation interval cannot be higher than the defined time-to-live.
Rotation is available only for IAM credentials where the Re-use key is set to true
. You can set the TTL for secrets by using minute
units of time but rotation is not available for those secrets.
{: note}
{: #schedule-auto-rotate-service-credentials-api} {: api}
The following example request creates an automatic rotation policy for a Service credential (service_credentials
) secret. When you call the API, replace the ID variables and IAM token with the values that are specific to your {{site.data.keyword.secrets-manager_short}} instance.
{: curl}
curl -X PATCH
-H "Authorization: Bearer {iam_token}" \
-H "Accept: application/json" \
-H 'Content-Type: application/merge-patch+json' \
-d '{
"rotation": {
"auto_rotate": true,
"interval": 30,
"unit": "day"
}
}' \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/secrets/{id}/metadata"
{: codeblock} {: curl}
To remove a policy, keep the resources block empty. {: note}
A successful response returns the ID value for the secret, along with other metadata. For more information about the required and optional request parameters, see the API reference.
The defined rotation interval cannot be higher than the defined time-to-live. {: note}