Managing secrets by using the CLI
You can create internal or external secrets in IBM Hybrid Cloud Mesh (Mesh). Before you create secrets, you must configure the Mesh secrets manager.
When you create a secret in Mesh, the secret is stored in the Mesh secrets manager by default. The Mesh secrets manager is an internal secrets manager, but you can also use an external secrets manager. To use an external secrets manager, you must configure the Mesh secrets manager. You use the CLI to do the configuration.
To configure the secrets manager and create internal and external secrets in Mesh, you must have the tenant administrator role.
Configuring the secrets manager
When you configure the secrets manager by using the
CLI, you must set the type of the secrets manager strategy to external
or
internal
. By default, the type of the secrets manager strategy is set to
internal
. When you change from one secrets manager type to another, you must modify
the configuration of the secrets manager. Complete the following steps to configure the secrets
manager to create internal or external secrets:
- To get the current secrets manager configuration, run the following
command:
palmctl get secrets-manager-configuration
The command displays the configuration in YAML format, similar to the following example:
sm_type_strategy: "<internal-or-external>" description: "<configuration-description>" api_key: "<api-key-for-external-type-configuration>"
sm_type_strategy
is the type of the secrets manager strategy that you select.description
is the configuration description of the secrets manager.api_key
is the API key for your IBM Cloud account. When you configure an external secrets manager, you must provide an API key. For more information, see Secrets manager.
- To update your secrets configuration, create a YAML file with the attributes that are given in
step 1. For example, create a YAML file
that is called
secrets-manager-configuration.yaml
that contains the following attributes:sm_type_strategy: "external" description: "Secrets manager configuration for prod instance" api_key: "FuW6Nf2-_KKMBDM2vyJyL2ASaRpQts5xg9zWPy"
- To update the secrets manager configuration, run a command like this:
palmctl update secrets-manager-configuration -f secrets-manager-configuration.yaml
If your secrets manager configuration is updated to
external
, output similar to the following example is shown:sm_type_strategy: "external" description: "<an external configuration description>" api_key: "<api-key-for-external-type-configuration>"
- If you have external secrets that are stored in Mesh and you
want to change the configuration of your secrets manager to internal, you can provide a new API key.
To provide a new API key, edit the
api_key
attribute in the YAML file that describes your configuration, then update the secrets manager configuration with the new value.Run a command like this:
palmctl update secrets-manager-configuration -f secrets-manager-configuration-api-key.yaml
Output similar to the following example is shown:
sm_type_strategy: internal description: "<internal secret configuration description>" api_key: "<updated_api_key_for_existing_secrets>"
Creating secrets
You can create secrets based on the type of secrets manager that you configure for your tenants. For more information about how to create secrets, see the following topics: