Known issues and limits
IBM Cloud® Secrets Manager includes the following known issues and limits that might impact your experience.
Known issues
Review the following known issues that you might encounter as you use Secrets Manager.
| Issue | Workaround |
|---|---|
| Multiple secrets of the same type can't be created with the same name. | It is not possible to create more than one secret of the same type with the same name. This limitation applies at the instance level. To organize similar secrets of the same type across multiple secret groups in your instance, try adding a prefix or suffix to the names of those secrets. |
| Secrets can't be transferred between secret groups. | If you accidentally assign a secret to the wrong secret group, or if you don't want a secret to belong to the default secret group, you must delete the secret and create a new one. |
| API keys that are associated with an IAM secret aren't valid immediately after they are generated. | If you have automation in place that calls the Secrets Manager API to get the API key for an IAM secret, add a wait delay of 2 seconds to allow the new API key to be recognized by IAM. |
| IAM credentials with a time-to-live (TTL) don't immediately expire. | After a secret with a TTL reaches the end of its lease duration, expect a tolerance of 1 - 2 minutes before the secret's associated service ID is deleted by IAM. |
| Users that have Writer or Manager service access that is scoped to secret groups are unable to create some types of secrets when they use the Secrets Manager UI. | If you have Viewer platform access and Writer or Manager service access that is scoped to a Secrets Manager service secret group, it might not be possible to create secrets in the Secrets Manager dashboard that require an engine configuration, for example, IAM credentials, public certificates, or private certificates. As a workaround, you can use the Secrets Manager CLI plug-in, APIs, or SDKs to manage those secret types. |
| Community plug-ins for Vault are not supported. | It is not possible to integrate a community plug-in for Vault with Secrets Manager, unless it is written against a secrets engine that Secrets Manager supports. |
| When you delete an instance of the service, your API keys are not deleted from IAM. | If you have a service ID or API key that was generated by the IAM credentials secret engine and delete your instance of Secrets Manager, you must also delete the secret from IAM. |
| IAM Custom Roles are not supported when using Vault API. | Using IAM Custom Roles is fully supported when using the Secrets Manager service API. |
Limits
Consider the following service limits as you use Secrets Manager.
Account limits
The following limits apply per IBM Cloud account.
| Resource | Limit |
|---|---|
| Secrets Manager service instances | Trial plan: 1 per IBM Cloud account at any time Standard plan: No limit on number of instances per account |
Instance limits
The following limits apply to Secrets Manager service instances.
| Resource | Limit |
|---|---|
| Configurations for secrets engines |
Public certificates engine:
Private certificates engine:
Custom credentials engine:
|
| Secret groups | 200 per instance |
| Total secrets | No limit per instance |
Resource limits
Review the following table to understand the limits that apply to secrets of different types.
Limits for secret groups
The following limits apply to secret groups.
| Attribute | Limit |
|---|---|
| Name | 2 - 64 characters |
| Description | 2 - 1024 characters |
| Labels | 2 - 64 characters
30 labels per secret group |
| Total secrets | – |
Limits for arbitrary secrets
The following limits apply to arbitrary secrets.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Secret value / payload | 1 MB |
| Labels | 2 - 64 characters
30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for IAM credentials
The following limits apply to IAM credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Access groups | 1 - 10 groups |
| Labels | 2 - 64 characters
30 labels per secret |
| Time-to-live (TTL) / lease duration | Minimum duration is 1 minute. Maximum is 90 days. |
| Versions | 2 versions per secret (current and previous)
A secret version can be retrieved, rotated, or restored only if the defined time-to-live (TTL) or lease duration wasn't reached. For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for key-value secrets
The following limits apply to key-value secrets.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Secret value / payload | 512 KB |
| Labels | 2 - 64 characters
30 labels per secret |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for SSL/TLS certificates
The following limits apply to imported, private, or public certificates.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Certificate | 100 KB
Supported file type is |
| Private key | 100 KB
Private key file is limited to PEM-formatted content. If provided, the private key must match the certificate that you are importing. Only unencrypted private keys are supported. |
| Intermediate certificate | 100 KB
Supported file type is |
| Labels | 2 - 364characters
30 labels per secret |
| Versions | 2 versions per certificate (current and previous)
For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for user credentials
The following limits apply to user credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Username | 2 - 64 characters |
| Password | 6 - 256 characters |
| Labels | 2 - 64 characters
30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for service credentials
The following limits apply to service credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Labels | 2 - 64 characters
30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
Limits for custom credentials
The following limits apply to custom credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters
The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Labels | 2 - 64 characters
30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
| Issue | Workaround |
|---|---|
| There is a global one-to-one mapping of custom credentials configurations to a credentials provider Code Engine job. | Replicate your credentials provider job. |
| A custom credentials configuration cannot be updated to reference a different credentials provider Code Engine job. | Create a new custom credentials configuration. |
| A custom credentials configuration cannot be updated to change or remove a referenced IAM Credentials secret. | Create a new custom credentials configuration. |
| A custom credentials configuration schema (parameters and credentials) is mapped to the credentials provider Code Engine job environment variables at Secrets Manager configuration creation time. | Create a new custom credentials configuration to accommodate updates to a credentials provider’s environment variables. |
| Secrets Manager configures Code Engine jobs to immediately remove completed job runs to avoid Code Engine rate limits. | You can change the value of the job variable CE_REMOVE_COMPLETED_JOBS to a value such as ‘3d’ in the Code Engine UI to review completed job runs and their logs during development time. |
| A Secrets Manager instance can be configured with up to 10 custom credentials configurations. | Create a new Secrets Manager instance. |
| A custom credentials secret maintains a history of 100 tasks. | Refer to IBM Cloud Activity Tracker Event Routing in IBM Cloud Logs to review task history. |
| Secrets Manager will apply daily retries for failed ‘delete credentials’ tasks for up to 10 days. | Monitor Event Notifications and logs for failed task events and periodically check your external credentials provider for stale or expired credentials. |
| Secrets Manager’s secret tasks are throttled to avoid overloading Code Engine. Slowness may be experienced during operations that change custom credentials secret states when dealing with a large queue. | Design your workloads that consume custom credentials to expect possible delays until secrets are rotated. |
| Secret lock mode remove_previous_and_delete is not supported. | Use lock mode remove_previous and call the delete secret version data api, specifying secret version id=previous. |
| Avoid using personal identifiers (e.g., email addresses, social security numbers) or confidential data as input parameters and as credential IDs. Secrets Manager treats the input parameters and credential ID as metadata, not as sensitive secret data. | Use parameter type secret_id to pass a reference to a secret managed in Secrets Manager containing the confidential data. Then in the credentials provider job retrieve the secret to access its confidential data. |
| Updates made to a secret ttl and parameters fields are applied to a new version of the secret. | Rotate the secret to create a new version in order to apply the changes. |
| Deleting a Secrets Manager instance will not bulk delete the managed third-party credentials. | When planning to permanently delete a Secrets Manager instance first delete all its secrets. |