Creating a Secret in a Vault
Create a secret in a vault. Secrets are credentials such as <your-password>, certificates, SSH keys, or authentication tokens that you use with Oracle Cloud Infrastructure services.
- Open the navigation menu, click Identity & Security, and then click Vault.
- Under List scope, select the compartment in which you want to create a secret.
-
Click the name of the vault in which you want to create a secret. If you need to create a new vault for the secret, follow the instructions in Create a Vault topic, and then click the name of the vault.
- Under Resources, click Secrets and then click Create Secret.
- In the Create Secret panel, provide the following details:
- Enter a name to identify the secret. Avoid entering any confidential information.
- Enter a brief description of the secret to help identify it. Avoid entering any confidential information.
- Select the master encryption key that you want to use to encrypt the secret contents while they're imported to the vault. (The key must belong to the same vault. The key must also be a symmetric key. You can't encrypt vault secrets with asymmetric keys.)
- Select one of the following methods to generate secret:
- Automatic secret generation: Generates secret automatically. When enabled, you don't need to provide the secret content. Furthermore, when creating a new secret version, it's autogenerated based on the secret generation type and generation template.
- Manual secret generation: Lets you manually provide the secret content.
- If you selected Automatic secret generation, select the Generation type.
- If you selected Passphrase, select the corresponding Generation context, optionally provide the Passphrase length and Secret format.
- If you selected SSH Key, select the corresponding Generation context and optionally provide the Secret format.
- If you selected Bytes, select the corresponding Generation context and optionally provide the Secret format.
- If you selected Manual secret generation, provide the following:
- In the Secret Type Template, specify the format of the secret contents that you're providing by selecting a template. You can provide secret contents in plain-text when you use the Console to create a vault secret or vault secret version, but secret contents must be base64-encoded before they're sent to the service. The Console automatically encodes plain-text secret contents for you.
- In Secret Contents, enter the contents of the secret. (The maximum allowable size for a secret bundle is 25 KB.)
- To apply a rule to manage how vault secrets are used, click Show advanced options and then provide the following inforation under the Rules tab. You can either create a rule regarding the reuse of secret contents across versions of a secret, or you can create a rule specifying when the secret contents expire. For more information about rules, see Secret Rules.
- Rule Type: Select Secret Reuse Rule or a Secret Expiry Rule. At most, you can have one of each. If you already have one rule, but want to add another, click + Another Rule.
-
Configuration (for reuse rule): Select to enforce the reuse rule so it applies even to deleted secrets versions, or allow reuse of secret contents from deleted secret versions.
-
Configuration (for Expiry rule): Set how frequently you want secret contents to expire and what you want to happen when the secret or secret version expires. Expiration of individual secret versions is represented by a period of 1 to 90 days that you can specify with the arrow buttons or entering a number. Expiration of the secret itself is represented by an absolute time and date between 1 to 365 days from the current time and date. Specify this date by using the date picker. You can configure expiry values for both the secret version and secret or just one of the two. (It's possible to clear the secret version expiry interval, but you must delete the entire expiry rule and start over to set an absolute time to expire the secret.)
- In the Secret Rotation section, provide the following details:
- Target system type: Select Target system type as Autonomous Database or Function and provide the corresponding Target system id.
- Target system id: The system id is auto populated for the selected target system type.
- Enable auto rotation: Select the check box to turn on automatic rotation. Note
If you don't specify target system type and id then, the check box isn't enabled for automatic rotation. - Rotation interval: Optionally, select the Rotation interval to update the secret periodically.
- Optionally, to apply tags to the secret, click Show advanced options and then provide the following inforation under the Tagging tab. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option (you can apply tags later) or ask administrator.
- Click Create Secret.
Use the create-base64 command to create a secret in a vault.
Note
You must specify a symmetric key to encrypt the secret during import to the vault. You can't encrypt secrets with asymmetric keys. Furthermore, the key must exist in the vault that you specify.oci vault secret create-base64 --compartment-id <target_compartment_id> --secret-name <secret_name> --vault-id <target_vault_id> --description <secret_description_text> --key-id <encryption_key_id> --secret-content-content <base64_encoded_secret_content> --secret-content-name <unique_content_name> --secret-content-stage <secret_version_rotation_state>
For example:
oci vault secret create-base64 --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --secret-name testSecret --vault-id ocid1.vault.oc1.iad.exampleyaaeuk.examplesuxtdqxczlvygwk4ouq2mhzr223g4o2ojs4o4q4ghmt6rlexample --description "this is a test secret" --key-id ocid1.key.oc1.iad.exampleyaaeuk.abuwcvbrswr2nbvrraqomsmhopc74rlqupwyv3byhikd4577rrky7example --secret-content-content bXlwYXNzd29yZA== --secret-content-name testpassword1 --secret-content-stage CURRENT
Avoid entering confidential information.
To enable automatic secret generation and rotation, see the following example:
oci vault secret create-base64 --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --secret-name testSecret --vault-id ocid1.vault.oc1.iad.exampleyaaeuk.examplesuxtdqxczlvygwk4ouq2mhzr223g4o2ojs4o4q4ghmt6rlexample --description "this is a test secret" --key-id ocid1.key.oc1.iad.exampleyaaeuk.abuwcvbrswr2nbvrraqomsmhopc74rlqupwyv3byhikd4577rrky7example --enable-auto-generation true --secret-generation-context file://sample_generation_file.json --rotation-config file://sample_rotation.json
Example for content in
passphrase.json
file:{ "generation_type": "%GENERATED_PASSPHRASE%", "generation_template": "DBAAS_DEFAULT_PASSWORD", "secret_template": { "username": "ORACLE", "password": "your-password", }
Example for content in
sample_rotation.json
file:{ "rotationInterval": "P30D", "isScheduledRotationEnabled": true, "target_system_details": { "target_system_type": "ADB", "adbId": "ocid1.autonomousdatabase.<unique_ID>" } }
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Run the CreateSecret operation to create a secret in vault.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.