Creating a Secrets Manager service instance
Get started with IBM Cloud® Secrets Manager by creating a service instance in IBM Cloud console, IBM Cloud CLI, or API.
Provisioning Secrets Manager in your IBM Cloud account can take 5 - 15 minutes to complete as the service creates a single tenant, dedicated instance.
Creating a Secrets Manager instance in the UI
To create an instance of Secrets Manager from the IBM Cloud console, complete the following steps.
-
In the console, go to the Secrets Manager offering details page.
-
In the Create tab, select the region that represents the geographic area where you want provision your instance.
-
Review and select a pricing plan.
You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation.
-
Provide a name for your instance.
-
Select a resource group.
-
Optional: Add tags to help you to organize the instance in your account.
-
Determine an option for enabling customer-managed encryption for your instance.
You can enhance the security of your secrets at rest by integrating with a key management service. For more information about customer-managed encryption, check out Protecting your sensitive data in Secrets Manager.
-
Determine an option for connecting to Secrets Manager.
To further protect your connection to Secrets Manager, you can choose to provision an instance that uses a private service endpoint. For more information about setting up your account to support the private connectivity option, see Enabling VRF and service endpoints.
-
Click Create to create an instance of Secrets Manager in the account, region, and resource group that you selected.
To update your service plan after you create an instance, see Updating your service plan.
Creating a Secrets Manager instance from the CLI
To create an instance of Secrets Manager by using the IBM Cloud CLI, complete the following steps.
-
Log in to IBM Cloud through the IBM Cloud CLI.
ibmcloud login
If the login fails, run the
ibmcloud login --sso
command to try again. The--sso
parameter is required when you log in with a federated ID. If this option is used, go to the link listed in the CLI output to generate a one-time passcode. -
Select the account, region, and resource group where you want to create a Secrets Manager service instance.
ibmcloud target -r <region> -g <resource_group_name>
-
Create an instance of Secrets Manager within that account and resource group.
ibmcloud resource service-instance-create <instance_name> secrets-manager <plan>
Description of the information that is required to provision the Secrets Manager service using CLI Variable Description Instance name ( name
)A unique alias for your service instance. Pricing plan ( plan
)The pricing plan that you want to use, provided as a plan ID. Use 869c191a-3c2a-4faf-98be-18d48f95ba1f
fortrial
or7713c3a8-3be8-4a9a-81bb-ee822fcaac3d
forstandard
.Private endpoints If you need to provision an instance of Secrets Manager that uses private endpoints only, you can append -p '{"allowed_network": "private-only"}'
to your command.Encryption To provision an instance of Secrets Manager that uses customer-managed encryption, append -p '{"kms_key": "<root_key_crn>"}'
. Replace<root_key_crn>
with the CRN value for the root key that you want to integrate.You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation.
-
Optional: Verify that the service instance was created successfully.
ibmcloud resource service-instances
To update your service plan after you create an instance, see Updating your service plan.
Creating a Secrets Manager instance from API
To create an instance of Secrets Manager from API, complete the following steps.
For additional programming languages support, see the Resource Controller API Docs.
-
Obtain an IBM Cloud IAM access token.
-
Run a curl command to provision an instance of Secrets Manager.
curl -X POST https://resource-controller.cloud.ibm.com/v2/resource_instances -H "Authorization: Bearer <IAM token>" -H 'Content-Type: application/json' -d '{ "name": "<instance_name>", "target": "<region>", "resource_group": "<resource_group_id>", "resource_plan_id": "<plan>", "parameters": '{"allowed_network": "private-only","kms_key": "<root_key_crn>"}' }'
Description of the information that is required to provision the Secrets Manager service using API Variable Description Instance name ( name
)A unique alias for your service instance. Target ( region
)The region the instance should be provisioned in. Supported regions: Pricing plan ( plan
)The pricing plan that you want to use, provided as a plan ID. Use 869c191a-3c2a-4faf-98be-18d48f95ba1f
fortrial
or7713c3a8-3be8-4a9a-81bb-ee822fcaac3d
forstandard
.Private endpoints If you need to provision an instance of Secrets Manager that uses private endpoints only, keep the allowed_network
parameterEncryption To provision an instance of Secrets Manager that uses customer-managed encryption, keep the kms_key
parameter, and replace<root_key_crn>
with the CRN value for the root key that you want to integrate.You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation.
To update your service plan after you create an instance, see Updating your service plan.
Upgrading a Secrets Manager instance to the Standard plan
When your Trial instance expires, you lose access to your secrets, and integrations. To preserve your data, and prevent any disruptions in your workflow, you must upgrade to the Standard plan before your Trial plan expires. Follow the steps to update your pricing plan. You can use the UI, API, and CLI to complete this process.