Enabling event notifications for Secrets Manager
As an administrator of IBM Cloud® Secrets Manager, you might want to send notifications of events in Secrets Manager to other users, or human destinations, by using email, SMS, or other supported delivery channels. Additionally, you might want to send these notifications of events to other applications to build logic by using event-driven programming using webhooks, for example. This is made possible by the integration between Secrets Manager and IBM Cloud® Event Notifications.
To send information to Event Notifications, you must connect your Secrets Manager service instance to Event Notifications. For more information about working with Event Notifications, see Getting started with Event Notifications.
If you decide to delete your Secrets Manager service instance, also remove Secrets Manager as a source in your Event Notifications service instance.
How events are collected and sent by Secrets Manager
When an event of interest takes place in your Secrets Manager instance, Secrets Manager communicates with a connected Event Notifications instance to forward a notification to a supported destination.
Secrets Manager aggregates a list of your pending notifications by event type, the type of secret, and expiry details if they apply. Every 1 - 2 minutes, the service checks for and dispatches any pending notifications to the connected Event Notifications service. For example, you might receive notifications that are similar to the following messages:
- You have 1 arbitrary secret that expires in 1 day.
- You have 5 public certificate secrets that expire in 10 days.
- You have 100 imported certificate secrets that expire in 30 days.
100 is the maximum number of secrets that you can be notified of in a single event notification.
Events for Secrets Manager
The following table lists the Secrets Manager actions that generate an event.
Depending on the type of secret that you're working with in the service, an event might not be generated by Secrets Manager. For example, you don't receive a notification if a certificate is set to expire in less than 24 hours. For more information, refer to Events by secret type.
| Event name | Event type | Subtype | Description | Severity level |
|---|---|---|---|---|
| Secret created | com.ibm.cloud.secrets-manager.secret_created |
An event is sent when a secret is added to the instance. | Low | |
| Secret creation failed | com.ibm.cloud.secrets-manager.secret_creation_failed |
An event is sent when a request to create a secret fails. | Low | |
| Secret rotated | com.ibm.cloud.secrets-manager.secret_rotated |
An event is sent when a secret is rotated and a new version becomes available. | Low | |
| Secret rotation failed | com.ibm.cloud.secrets-manager.secret_rotation_failed |
An event is sent when a request to rotate a secret fails. | High | |
| Secret expires in 90 days | com.ibm.cloud.secrets-manager.secret_about_to_expire |
in_90_days |
An event is sent when a secret is 90 days from expiration. | High |
| Secret expires in 60 days | com.ibm.cloud.secrets-manager.secret_about_to_expire |
in_60_days |
An event is sent when a secret is 60 days from expiration. | High |
| Secret expires in 30 days | com.ibm.cloud.secrets-manager.secret_about_to_expire |
in_30_days |
An event is sent when a secret is 30 days from expiration. | High |
| Secret expires in 10 days | com.ibm.cloud.secrets-manager.secret_about_to_expire |
in_10_days |
An event is sent when a secret is 10 days from expiration. | High |
| Secret expires in 1 day | com.ibm.cloud.secrets-manager.secret_about_to_expire |
in_1_days |
An event is sent when a secret is 1 day from expiration. | High |
| Secret expires in less than 1 day | com.ibm.cloud.secrets-manager.secret_about_to_expire |
in_0_days |
An event is sent when a secret is less than 1 day from expiration. | High |
| Secret expired | com.ibm.cloud.secrets-manager.secret_expired |
An event is sent when a secret reaches its expiration date and time. | High | |
| Secret revoked | com.ibm.cloud.secrets-manager.secret_revoked |
An event is sent when a version of a secret is revoked before it is scheduled to expire. | Low | |
| Secret deleted | com.ibm.cloud.secrets-manager.secret_deleted |
An event is sent when a secret is deleted from a Secrets Manager instance. | Low | |
| Secret deletion failed | com.ibm.cloud.secrets-manager.secret_deletion_failed |
An event is sent when a request to delete a secret fails. | High | |
| Secret deletion blocked | com.ibm.cloud.secrets-manager.secret_deletion_blocked |
An event is sent when a secret is unable to be deleted because it is locked. | Low | |
| Secret revocation blocked | com.ibm.cloud.secrets-manager.secret_revocation_blocked |
An event is sent when a secret is unable to be revoked because it is locked. | Low | |
| Secret rotation blocked | com.ibm.cloud.secrets-manager.secret_rotation_blocked |
An event is sent when a secret is unable to be rotated because it is locked. | Low | |
| Secret expiration blocked | com.ibm.cloud.secrets-manager.secret_expiration_blocked |
An event is sent when a secret is unable to expire because it is locked. | High | |
| Secret data removed | com.ibm.cloud.secrets-manager.secret_data_removed |
An event is sent when a secret's data is removed. | Low | |
| Secret version data deleted | com.ibm.cloud.secrets-manager.secret_version_data_deleted |
An event is sent when a secret version's data is deleted. | Low | |
| Test event | com.ibm.cloud.secrets-manager.test_event |
An event is sent when a test notification is forwarded to Event Notifications. | Low |
secret_about_to_expire events are sent only once, on the specified day. This means that if you specify that a secret is to expire in 10 days, you receive a single notification when the secret has 10 days left. You do not receive
a notification at any other time, for example, when the secret has 9 days left.
Supported secret types
The following table lists the Secrets Manager events that can be generated based on secret types that are supported in the service.
| Event name | Event type | Occurrence | Arbitrary | IAM credentials | Key-value | User credentials | Imported certificates | Private certificates | Public certificates | Service credentials |
|---|---|---|---|---|---|---|---|---|---|---|
| Secret created | com.ibm.cloud.secrets-manager.secret_created |
One time |  |
|||||||
| Secret creation failed | com.ibm.cloud.secrets-manager.secret_creation_failed |
One time | |
|
|
|
|
|
|
|
| Secret rotated | com.ibm.cloud.secrets-manager.secret_rotated |
One time | |
|
|
|
|
|
|
|
| Secret rotation failed | com.ibm.cloud.secrets-manager.secret_rotation_failed |
One time | |
|
|
|
|
|
|
|
| Secret about to expire | com.ibm.cloud.secrets-manager.secret_about_to_expire |
90, 60, 30, 10, 1, 0 days before the secret expires | |
|
Not applicable[1] | |
|
|
|
|
| Secret expired | com.ibm.cloud.secrets-manager.secret_expired |
Daily | |
|
Not applicable[2] | |
|
|
|
|
| Secret revoked | com.ibm.cloud.secrets-manager.secret_revoked |
One time | |
|||||||
| Secret deleted | com.ibm.cloud.secrets-manager.secret_deleted |
One time | |
|
|
|
|
|
|
|
| Secret deletion failed | com.ibm.cloud.secrets-manager.secret_deletion_failed |
One time | |
|
|
|
|
|
|
|
| Secret deletion blocked | com.ibm.cloud.secrets-manager.secret_deletion_blocked |
One time | |
|
|
|
|
|
|
|
| Secret rotation blocked | com.ibm.cloud.secrets-manager.secret_rotation_blocked |
One time[3] Daily [4] |
|
|
|
|
|
|
|
|
| Secret revocation blocked | com.ibm.cloud.secrets-manager.secret_revocation_blocked |
One time | Not applicable[5] | Not applicable[6] | Not applicable[7] | Not applicable[8] | Not applicable[9] | |
Not applicable[10] | |
| Secret expiration blocked | com.ibm.cloud.secrets-manager.secret_expiration_blocked |
One time Daily |
|
|
Not applicable[11] | |
|
|||
| Secret data removed | com.ibm.cloud.secrets-manager.secret_data_removed |
One time | |
|
|
|
|
|
|
|
| Secret version data deleted | com.ibm.cloud.secrets-manager.secret_version_data_deleted |
One time | |
|
|
|
|
|
|
Enabling notifications
Events that are generated by an instance of the Secrets Manager service can be forwarded to an Event Notifications service instance that is available in the same account. You can configure only one Secrets Manager instance to one Event Notifications service instance. To get started, you need:
- Manager service access on the Secrets Manager service.
- Manager service access on the Event Notifications service. To view an existing Event Notifications service instance in your account, you also need Viewer platform access or higher.
Connecting to Event Notifications in the UI
Before you can enable notifications for Secrets Manager, be sure that you have an Event Notifications service instance that is in the same account as your Secrets Manager instance. Then, you can use the Settings > Event Notifications section in the Secrets Manager UI to connect the services.
-
In the console, click the Menu icon
> Resource list. -
From the list of services, select your instance of Secrets Manager.
-
In the Secrets Manager navigation, click Settings.
-
In the Event Notifications section, and click Connect.
-
In the side panel, review the source details for the connection. Optionally, provide a description.
-
Select the resource group and Event Notifications service instance that you want to connect.
If an IAM authorization between Secrets Manager and Event Notifications doesn't exist in your account, a dialog is displayed. Follow the prompts to grant access between the services.
- To grant access between Secrets Manager and Event Notifications, click Authorize.
- In the side panel, select Event Notifications as the target service.
- From the list of instances, select the Event Notifications service instance that you want to authorize.
- Select the Event Source Manager role.
- Click Review.
- Click Assign.
-
To confirm the connection, click Connect.
A success message is displayed to indicate that Secrets Manager is now connected to Event Notifications. If you need to disconnect from Event Notifications later, you can use the options menu
> Disconnect to remove the Secrets Manager as a source service in the Event Notifications instance.If you choose to disconnect Event Notifications, do not delete the IAM authorization between Secrets Manager and Event Notifications. Secrets Manager uses the existing authorization to unregister from Event Notifications. If an Event Notifications instance is deleted, any authorizations that exist between the service and the Secrets Manager are also deleted by IAM.
Connecting to Event Notifications with the API
Before you can enable notifications for Secrets Manager, be sure that you have an Event Notifications service instance that is in the same account as your Secrets Manager instance. Then, you can connect to Event Notifications programmatically by calling the Secrets Manager API.
The following example shows a query that you can use to register your Secrets Manager source details with Event Notifications. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.
You can find the event_notifications_instance_crn value in the console by going to the Resource list and clicking the Event Notifications instance row.
curl -X POST
--H "Authorization: Bearer {iam_token}" \
--H "Accept: application/json" \
--H "Content-Type: application/json" \
--d'{
"event_notifications_instance_crn": "crn:v1:bluemix:public:event-notifications:us-south:a/22018f3c34ff4ff193698d15ca316946:578ad1a4-2fd8-4e66-95d5-79a842ba91f8::",
"event_notifications_source_description": "Optional description of this source in an Event Notifications instance.",
"event_notifications_source_name": "My Secrets Manager"
}' \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/notifications/registration"
A successful request returns the CRN value of your connected Event Notifications service instance. For more information about the required and optional request parameters, see the API docs.
Connecting to Event Notifications with Terraform
The following example shows a configuration that you can use to to register your Secrets Manager source details with Event Notifications.
resource "ibm_sm_en_registration" "en_registration" {
instance_id = local.instance_id
region = local.region
name = "test-root-ca"
event_notifications_instance_crn = var.en_instance_crn
event_notifications_source_description = "My event notification source"
event_notifications_source_name = "my_en_source"
}
Sending a test event to Event Notifications in the UI
After you enable notifications for Secrets Manager, test your connection to ensure that the events that are generated by Secrets Manager are being forwarded to Event Notifications.
Before you can send a test Secrets Manager events, you must have topics, destinations, and subscriptions created in your Event Notifications instance. Be
sure that the Test event event type (com.ibm.cloud.secrets-manager.test_event) is included as a condition in your Event Notifications topic.
-
In the Secrets Manager UI, click Settings.
-
In the Event Notifications section, click Send test event.
A success message is displayed to indicate that the test event was forwarded successfully to Event Notifications.
Sending a test event to Event Notifications with the API
After you enable notifications for Secrets Manager, test your connection to ensure that the events that are generated by Secrets Manager are being forwarded to Event Notifications.
Before you can send a test Secrets Manager event, you must have topics, destinations, and subscriptions created in your Event Notifications instance. Be sure
that the Test event event type (com.ibm.cloud.secrets-manager.test_event) is included as a condition in your Event Notifications topic.
The following example shows a query that you can use to send a test event from the Secrets Manager to Event Notifications. When you call the API, replace the ID variables and IAM token with the values that are specific to your Secrets Manager instance.
curl -X GET
--H "Authorization: Bearer {iam_token}" \
"https://{instance_ID}.{region}.secrets-manager.appdomain.cloud/api/v2/notifications/registration/test"
A successful request returns an HTTP 200 OK response to indicate that a test event was forwarded successfully to your connected Event Notifications service instance. For more information, see the API docs.
Delivering notifications to select destinations
After you enable notifications for Secrets Manager, create topics and subscriptions in Event Notifications so that alerts can be forwarded and delivered to your selected destinations.
For a complete list of supported destinations, see the Event Notifications documentation.
Email notifications
You can use the IBM Cloud email service as a delivery channel for Secrets Manager event notifications. Create an Event Notifications subscription between an existing topic and the IBM Cloud email service to forward your alerts to various recipients by email.
An email from IBM Cloud that contains information about a Secrets Manager event resembles the following example:
Subject: Your 2 public certificate secrets expire in 10 days
Body: You have 2 public certificate secrets that expire in 10 days: my-certificate-1, my-certificate-2. You can view and manage your existing secrets by accessing Secrets Manager in the console, or by using the CLI or APIs. For more information, check out the docs.
To receive detailed information about an event notification in your email, select the Add notification payload option when you create an Event Notifications subscription. Your email displays the notification payload details that are associated with the event.
Webhooks
You can configure a webhook destination so that an incoming notification can be consumed programmatically by an app or service. For more information about setting up webhooks, check out the Event Notifications documentation.
Notification payload details
Successful events that are generated by Secrets Manager contain various fields that help you to identify the source and details of an event.
Event notifications from Secrets Manager contain only metadata properties, such as names or identifiers of resources. Sensitive data, for example API keys or passwords, are not included in generated events.
The properties that are sent to Event Notifications vary depending on the event type and type of secret. For example, if an secret_about_to_expire:in_10_days event takes place in an instance for one or more public_cert secrets, Secrets Manager sends a notification payload to Event Notifications that is similar to the following example.
{
"event_sub_type": "in_10_days",
"event_type": "secret_about_to_expire",
"secret_type": "public_cert",
"secrets": [
{
"domains": "domain1.com",
"event_time": "2022-01-04T00:00:00Z",
"event_triggered_by": "SecretsManager",
"secret_expiration": "2022-01-14T00:00:00Z",
"secret_group_id": "default",
"secret_id": "crn:v1:bluemix:public:secrets-manager:<region>:a/<account_id>:<instance_id>:secret:<secret_id>",
"secret_name": "my-certificate-1",
"serial_number": "1:2:3:4"
},
{
"domains": "domain2.com, domain3.com",
"event_time": "2022-01-04T00:00:00Z",
"event_triggered_by": "SecretsManager",
"secret_expiration": "2022-01-14T00:00:00Z",
"secret_group_id": "default",
"secret_id": "crn:v1:bluemix:public:secrets-manager:<region>:a/<account_id>:<instance_id>:secret:<secret_id>",
"secret_name": "my-certificate-2",
"serial_number": "1:2:3:4"
},
],
"source_instance_api_private_url": "https://<instance_id>.private.<region>.secrets-manager.appdomain.cloud/api",
"source_instance_api_public_url": "https://<instance_id>.<region>.secrets-manager.appdomain.cloud/api",
"source_instance_crn": "crn:v1:bluemix:public:secrets-manager:<region>:a/<account_id>:<instance_id>::",
"source_instance_dashboard_url": "https://cloud.ibm.com/services/secrets-manager/crn%3Av1%3Abluemix%3Apublic%3Asecrets-manager%3A<region>%3Aa%2Fa6cc9f5f21f34323a4175c1117638b40%3A<instance_id>%3A%3A",
"source_service": "SecretsManager"
}
Review following table for more information about event notification properties.
| Property | Description |
|---|---|
event_sub_type |
The subtype that corresponds with the type of event that triggered a notification. |
event_type |
The type of event that triggered a notification. |
secret_type |
The type of secret that is associated with the event.
Possible values include: imported_cert, private_cert, public_cert |
secrets[] |
A list of objects that contain the metadata properties of a secret that is associated with the event. The properties that are listed vary depending on the secret type. Properties that are sent for all secret types include:
Events for
Failure events can also contain:
|
source_instance_api_private_url |
The private endpoint URL that is assigned to your Secrets Manager service instance. |
source_instance_api_public_url |
The public endpoint URL that is assigned to your Secrets Manager service instance. |
source_instance_crn |
The Cloud Resource Name (CRN) that uniquely identifies your Secrets Manager service instance. |
source_instance_dashboard_url |
The URL to your Secrets Manager service dashboard in the console. |
source_service |
The display name of the service that sent the event notification. |
-
Event is not applicable because there isn't a time-to-live (TTL) limit for this secret type. ↩︎
-
Event is not applicable because there isn't a time-to-live (TTL) limit for this secret type. ↩︎
-
You receive a notification that informs you that your manual rotation was not successful. ↩︎
-
When an automatic rotation fails, you are notified daily until it is successful. ↩︎
-
Event is not applicable because this notification type applies to private certificates only. ↩︎
-
Event is not applicable because this notification type applies to private certificates only. ↩︎
-
Event is not applicable because this notification type applies to private certificates only. ↩︎
-
Event is not applicable because this notification type applies to private certificates only. ↩︎
-
Event is not applicable because this notification type applies to private certificates only. ↩︎
-
Event is not applicable because this notification type applies to private certificates only. ↩︎
-
Event is not applicable because there isn't a time-to-live (TTL) limit for this secret type. ↩︎