Using Secret Manager

Available in VPC

Additional permission setting for access to console is required to create and manage secrets in Secret Manager. For more information on user permissions, see Managing Secret Manager permissions management and Sub Account user guide.

Secret Manager interface

The basics of using Secret Manager are as follows:

Creating a secret

To create a secret, follow these steps:

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. Select the name of the secret and the protection key in the step of (1) Enter the basic information of a secret.
3. Select the automatic rotation status, rotation cycle, and trigger in the step of (2) Set rotation. Rotation period and trigger must be entered only when the automatic rotation is set to be enabled. If there is no trigger, create a Cloud Functions trigger. For more information about creating a trigger, see Cloud Functions - Secret Manager Type Trigger.
4. Configure a secret in the step of Enter secret value. A secret has key-value properties and is configured in the JSON format. (The maximum size of a secret value is 10,000 bytes.) At least one replacement target must be set. For more information on rotation target, see Secret rotation.
5. Make a final check to complete the secret creation.

# Examples of Json formatting
{
    "cdbUser" : "test",
    "cdbPassword" : "test123",
    "cdbHost" : "db-c89**-**.cdb.ntruss.com",
    "cdbPort" : "3306",
    "cdbDatabase" : "test_db"
}

Checking secret information

Check the secret list and secret type.

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. When the secret list appears, check the type and name of the secret, or click the secret to see the details.
   
   • Secret name: Name of the secret. It is not duplicated.
   • Status: Status of the secret. For more information, see Manage secret status
   • Secret ID: Unique identifier of the secret. Used as the secret designator for the API calls.
   • Protection key (key tag): An encrypted key that protects a secret, managed for the purpose of encryption and decryption through Key Management Service
     • Basic key (Secret Manager default key): The key that Secret Manager manages by users. This key is also managed by using Key Management Service; however, users cannot check or manage it in person
     • User managed key: The key that the user creates and manages in Key Management Service in person. See the user managed key section in the Key Management Service concepts.
   • Creation date: Date when the secret is created.
   • Description: Additional information and description about the secret.

Secret value

A secret includes the security code used in the actual credential. This is classified as the secret value, and secret values are not exposed by default to minimize the unintended exposure of security codes. To check and edit secret values, follow these steps:

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. When the list of secrets appears, click the secret you want to see and check its details.
3. Click the Secret value tab.
4. Secret values are not displayed by default. To check the secret value, click See secret value.
5. When you edit the secret value, click Save to apply changes.

Secret chain

Secret Manager manages the secret value that is rotated while using the secret as an internal status called Stage, depending on the rotation history. The secret value being rotated is maintained in chronological order as the rotation stages progress, and this is defined as the Secret chain.

Based on the ACTIVE stage, which is the secret value currently in use normally, the secret value used right before the current one is maintained as the PREVIOUS stage, and the secret value used before the previous one is maintained as the SUSPENDED stage. Also, any new secret values created during the recent rotation are added as the PENDING stage until the rotation is completed. This process is defined as Chain Shifting.

As you can see from the secret chain shifting chart above, once the secret rotation is completed properly, the PENDING stage is maintained as blank. Normally, only the ACTIVE stage is used; however, PENDING or PREVIOUS stages may have to be applied depending on the progress of the rotation action. If you called view secrets during the secret rotation process and the secret chain that includes the PENDING stage has responded, you can troubleshoot by retrying in the ACTIVE -> PENDING order.

Checking usage logs

All access actions to secrets are saved in Cloud Log Analytics as logs. To check the secret usage history, follow these steps:

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. When the list of secrets appears, click the secret you want to see and check its details.
3. Click the Check logs tab.
4. Enter a search period or keyword to search logs.

Managing secret status

Secret status

Secret Manager manages secrets in a series of statuses, from their creation to deletion. The flow of secret status, defined as the so-called secret life cycle, is as follows:

Secrets are categorized into different states according to their life cycle: initial creation, available for use, temporarily suspended, rotation in progress, pending deletion, and final deletion. Each status of a secret is described as follows:

• Created
  Once a secret is created, a unique identifier is granted, and it is encrypted with a protection key for which the secret value is designated and saved in the encrypted storage. After the creation stage is completed, the secret automatically switches to available to use status.

• Available to use
  It is a status where a secret is maintained normally and can be viewed or rotated. You can suspend it temporarily or request to delete it.

• Temporarily suspended
  It is a status where a secret is temporarily suspended. Changing the protection key or viewing or editing the secret value are suspended. In this status, automatic rotation, which requires viewing and editing secret values, is not available either.

• Deletion request
  It is a status where a deletion request has been made for a secret, and the secret will be deleted after pending for 7 days. If you want to delete a secret without the pending period, click the Delete immediately button to delete the secret instantly. Just as in the temporarily suspended status, changing the protection key, viewing or editing the secret value, and automatic rotation are not available in this status as well. However, you can cancel the deletion request before the final deletion, and the secret with a canceled deletion request is immediately switched to a temporarily suspended status.

• Deletion completed
  It refers to a permanently deleted secret, and it is a status defined only in a theoretical state in Secret Manager. At the time of deletion, all related information, including the secret value, is deleted and cannot be recovered.

Changing secret status

To change the secret status, follow these steps:

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. When the list of secrets appears, click the secret you want to see and check its details.
3. Click Suspend using in order to change the status of an available secret.
4. Click Resume using in order to change the status of a temporarily suspended secret.

Changing protection key

Secret values are encrypted and protected by designated protection keys. All protection keys are managed in Key Management Service. To change the secret protection key, follow these steps:

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. When the list of secrets appears, click the secret you want to see and check its details.
3. Click the Edit button from the protection key item.
4. Once the list of keys available to set appears, select the key you want to change and click Edit.
5. If you want to select a user managed key, delegate the permission to encrypt and decrypt keys to Secret Manager.
6. If you need to create a key, click the Key Management Service key creation button and use Key Management Service console to create a key.

Secret rotation

In order to use secrets safely, you need to renew them periodically. As Secret Manager cannot change users’ secrets arbitrarily, secret rotation is executed by the user created action. When the secret rotation is executed, it renews the property value of the secret set as the Rotation target by default. You can also change other values, but it is not recommended for smooth operation. It is generally recommended to designate only confidential values (such as passwords) that require renewal as the rotation targets. Also, Cloud Functions triggers must be registered to execute the rotation action. For more information about creating a secret rotation trigger, see Cloud Functions - Secret Manager Type Trigger.

For more information about secret rotation process and action definition, see the Secret rotation page.

Set secret rotation

To set the secret rotation, follow these steps:

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. When the list of secrets appears, click the secret you want to see and check its details.
3. You can execute the rotation action periodically by enabling the Automatic rotation button in the rotation information section. (To enable the automatic rotation, a trigger must be registered)
4. When the automatic rotation is enabled, the automatic rotation cycle is set to 90 days by default. You can change the rotation period by clicking the Edit button in the Automatic rotation cycle item.
5. You can change the mapped triggers by clicking the Edit button in the Trigger item. However, you cannot change trigger mapping while rotation is in progress.
6. In the Progress status item, the previous rotation execution information is displayed.

Execute secret rotation

The rotation of secrets for which the automatic rotation feature is enabled will be executed automatically, but you can also execute it manually at once.

To execute the secret rotation, follow these steps:

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. When the list of secrets appears, click the secret you want to see and check its details.
3. Click the Execute rotation button in the rotation information section, and the trigger will be executed.

Retry, cancel, and rollback secret rotation

Whether the secret rotation process is completed is determined depending on the secret rotation process strategy. If you do not receive the Complete Rotation, the last completion stage of the secret rotation process, the rotation action is considered failed.

The secret rotation statuses and their features are as follows:

• Normal: In the Normal status, you can execute the next rotation. Once the rotation is completed, the existing secret is renewed to a new value, and its existing ACTIVE stage turns to PREVIOUS stage. You can reverse PREVIOUS, the secret that was used previously, to ACTIVE again through Rollback.
• Rotation in progress: It is a status where the rotation completion has not been notified yet once the rotation event has occurred and the trigger was executed.
• Rotation failed: it turns into the Rotation failed status when the rotation action is not properly completed, and you can execute Retry or Cancel action in this case.

Deleting secret

To permanently delete a secret, follow these steps:

1. In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Security > Secret Manager > Secret.
2. When the list of secrets appears, click the secret you want to see and check its details.
3. Click the Deletion request button to request a secret deletion.
4. Enter the secret name and confirm the deletion of the secret.
5. Once the deletion request is made, the secret will be finally deleted after 7 days. If you want to completely delete the secret immediately, click the Delete now button to delete the secret instantly without deletion pending.