Overview of the Secret Management Service

Secrets

Secrets are credentials such as passwords, certificates, SSH keys, or authentication tokens that you use with Oracle Cloud Infrastructure services. Storing secrets in the Secret Management Service provides greater security than you might achieve storing them elsewhere, such as in code or configuration files.

You can create secrets using the Console, CLI, or API.

Secret Versions

Each secret is automatically assigned a secret version. When you rotate a secret, you provide new secret contents to the Secret Management Service to generate a new secret version. Periodically rotating secret contents reduces the impact in case a secret is exposed. A secret's unique Oracle Cloud ID (OCID) remains the same across rotations, but the secret version lets the Secret Management Service rotate secret contents to meet any rules or compliance requirements you might have. Although you can't use an older secret version's contents after you rotate it if you have a rule configured preventing secret reuse, the secret version remains available and is marked with a rotation state other than "current". For more information about secret versions and their rotation states, see Secret Versions and Rotation States.

Secret Bundles

A secret bundle consists of the secret contents, properties of the secret and secret version (such as version number or rotation state), and user-provided contextual metadata for the secret. When you rotate a secret, you create a new secret version, which also includes a new secret bundle version.

The Secret Management Service service is available in all Oracle Cloud Infrastructure commercial regions. See About Regions and Availability Domains for the list of available regions, along with associated locations, region identifiers, region keys, and availability domains.

Different endpoints exist for secret management operations and secret retrieval operations. For more information, see the Secret Management API and the Secret Retrieval API reference and endpoints.

The Secret Management Service maintains copies of secrets to durably persist them and to provide high availability. This replication is independent of any cross-region replication that a customer might configure.

The Secret Management Service maintains copies of secrets across fault domains.

For secrets, in regions with multiple availability domains, the Vault service distributes secret copies across two different availability domains. In regions with a single availability domain, the Vault service distributes the copies across two different fault domains.

The Secret Management Service service supports secrets as Oracle Cloud Infrastructure resources. Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers..

You can access the Secret Management Service using the Console (a browser-based interface), the command line interface (CLI), or the REST API. Instructions for the Console, CLI, and API are included in topics throughout this guide.

For a list of available SDKs, see Software Development Kits and Command Line Interface.

To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and select Infrastructure Console. You are prompted to enter your cloud tenant, your user name, and your password.