Managing secrets by using the CLI

You can create internal or external secrets in IBM Hybrid Cloud Mesh (Mesh). Before you create secrets, you must configure the Mesh secrets manager.

When you create a secret in Mesh, the secret is stored in the Mesh secrets manager by default. The Mesh secrets manager is an internal secrets manager, but you can also use an external secrets manager. To use an external secrets manager, you must configure the Mesh secrets manager. You use the CLI to do the configuration.

To configure the secrets manager and create internal and external secrets in Mesh, you must have the tenant administrator role.

Configuring the secrets manager

When you configure the secrets manager by using the CLI, you must set the type of the secrets manager strategy to external or internal. By default, the type of the secrets manager strategy is set to internal. When you change from one secrets manager type to another, you must modify the configuration of the secrets manager. Complete the following steps to configure the secrets manager to create internal or external secrets:

  1. To get the current secrets manager configuration, run the following command:
    palmctl get secrets-manager-configuration

    The command displays the configuration in YAML format, similar to the following example:

    sm_type_strategy: "<internal-or-external>"
    description: "<configuration-description>"
    api_key: "<api-key-for-external-type-configuration>"
    • sm_type_strategy is the type of the secrets manager strategy that you select.
    • description is the configuration description of the secrets manager.
    • api_key is the API key for your IBM Cloud account. When you configure an external secrets manager, you must provide an API key. For more information, see Secrets manager.
  2. To update your secrets configuration, create a YAML file with the attributes that are given in step 1. For example, create a YAML file that is called secrets-manager-configuration.yaml that contains the following attributes:
    sm_type_strategy: "external"
    description: "Secrets manager configuration for prod instance"
    api_key: "FuW6Nf2-_KKMBDM2vyJyL2ASaRpQts5xg9zWPy"
  3. To update the secrets manager configuration, run a command like this:
    palmctl update secrets-manager-configuration -f secrets-manager-configuration.yaml

    If your secrets manager configuration is updated to external, output similar to the following example is shown:

    sm_type_strategy: "external"
    description: "<an external configuration description>"
    api_key: "<api-key-for-external-type-configuration>"
  4. If you have external secrets that are stored in Mesh and you want to change the configuration of your secrets manager to internal, you can provide a new API key. To provide a new API key, edit the api_key attribute in the YAML file that describes your configuration, then update the secrets manager configuration with the new value.

    Run a command like this:

    palmctl update secrets-manager-configuration -f 
    secrets-manager-configuration-api-key.yaml

    Output similar to the following example is shown:

    sm_type_strategy: internal
    description: "<internal secret configuration description>"
    api_key: "<updated_api_key_for_existing_secrets>"

Creating secrets

You can create secrets based on the type of secrets manager that you configure for your tenants. For more information about how to create secrets, see the following topics: