| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2025-01-16 |
known issues for Secrets Manager, known limitations for Secrets Manager |
secrets-manager |
{:codeblock: .codeblock} {:screen: .screen} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:gif: data-image-type='gif'} {:important: .important} {:note: .note} {:pre: .pre} {:tip: .tip} {:preview: .preview} {:deprecated: .deprecated} {:beta: .beta} {:term: .term} {:shortdesc: .shortdesc} {:script: data-hd-video='script'} {:support: data-reuse='support'} {:table: .aria-labeledby="caption"} {:troubleshoot: data-hd-content-type='troubleshoot'} {:help: data-hd-content-type='help'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:video: .video} {:step: data-tutorial-type='step'} {:tutorial: data-hd-content-type='tutorial'} {:api: .ph data-hd-interface='api'} {:cli: .ph data-hd-interface='cli'} {:ui: .ph data-hd-interface='ui'} {:terraform: .ph data-hd-interface="terraform"} {:curl: .ph data-hd-programlang='curl'} {:java: .ph data-hd-programlang='java'} {:ruby: .ph data-hd-programlang='ruby'} {:c#: .ph data-hd-programlang='c#'} {:objectc: .ph data-hd-programlang='Objective C'} {:python: .ph data-hd-programlang='python'} {:javascript: .ph data-hd-programlang='javascript'} {:php: .ph data-hd-programlang='PHP'} {:swift: .ph data-hd-programlang='swift'} {:curl: .ph data-hd-programlang='curl'} {:dotnet-standard: .ph data-hd-programlang='dotnet-standard'} {:go: .ph data-hd-programlang='go'} {:unity: .ph data-hd-programlang='unity'} {:release-note: data-hd-content-type='release-note'}
{: #known-issues-and-limits}
{{site.data.keyword.secrets-manager_full}} includes the following known issues and limits that might impact your experience. {: shortdesc}
{: #issues-and-limitations}
Review the following known issues that you might encounter as you use {{site.data.keyword.secrets-manager_short}}.
| Issue | Workaround |
|---|---|
| Multiple secrets of the same type can't be created with the same name. | It is not possible to create more than one secret of the same type with the same name. This limitation applies at the instance level. To organize similar secrets of the same type across multiple secret groups in your instance, try adding a prefix or suffix to the names of those secrets. |
| Secrets can't be transferred between secret groups. | If you accidentally assign a secret to the wrong secret group, or if you don't want a secret to belong to the default secret group, you must delete the secret and create a new one. |
| API keys that are associated with an IAM secret aren't valid immediately after they are generated. | If you have automation in place that calls the {{site.data.keyword.secrets-manager_short}} API to get the API key for an IAM secret, add a wait delay of 2 seconds to allow the new API key to be recognized by IAM. |
| IAM credentials with a time-to-live (TTL) don't immediately expire. | After a secret with a TTL reaches the end of its lease duration, expect a tolerance of 1 - 2 minutes before the secret's associated service ID is deleted by IAM. |
| Users that have Writer or Manager service access that is scoped to secret groups are unable to create some types of secrets when they use the {{site.data.keyword.secrets-manager_short}} UI. | If you have Viewer platform access and Writer or Manager service access that is scoped to a {{site.data.keyword.secrets-manager_short}} service secret group, it might not be possible to create secrets in the {{site.data.keyword.secrets-manager_short}} dashboard that require an engine configuration, for example, IAM credentials, public certificates, or private certificates. As a workaround, you can use the {{site.data.keyword.secrets-manager_short}} CLI plug-in, APIs, or SDKs to manage those secret types. |
| Community plug-ins for Vault are not supported. | It is not possible to integrate a community plug-in for Vault with {{site.data.keyword.secrets-manager_short}}, unless it is written against a secrets engine that {{site.data.keyword.secrets-manager_short}} supports. To manage {{site.data.keyword.cloud_notm}} secrets by using the full Vault native experience, use the stand-alone {{site.data.keyword.cloud_notm}} plug-ins for Vault. |
| When you delete an instance of the service, your API keys are not deleted from IAM. | If you have a service ID or API key that was generated by the IAM credentials secret engine and delete your instance of {{site.data.keyword.secrets-manager_short}}, you must also delete the secret from IAM. |
| IAM Custom Roles are not supported when using Vault API. | Using IAM Custom Roles is fully supported when using the {{site.data.keyword.secrets-manager_short}} service API. |
| {: caption="Known issues and limitations that apply to the {{site.data.keyword.secrets-manager_short}} service" caption-side="top"} |
{: #limits}
Consider the following service limits as you use {{site.data.keyword.secrets-manager_short}}.
{: #general-limits}
The following limits apply per {{site.data.keyword.cloud_notm}} account.
| Resource | Limit |
|---|---|
| {{site.data.keyword.secrets-manager_short}} service instances | Trial plan: 1 per {{site.data.keyword.cloud_notm}} account at any time \nStandard plan: No limit on number of instances per account |
| {: caption="{{site.data.keyword.secrets-manager_short}} limits per account" caption-side="top"} |
{: #instance-limits}
The following limits apply to {{site.data.keyword.secrets-manager_short}} service instances.
| Resource | Limit |
|---|---|
| Configurations for secrets engines | Public certificates engine: \n - 10 third-party CA configurations \n - 10 DNS provider configurations \n - 10 certificate templates \n \n Private certificates engine: \n - 10 root certificate authorities \n - 10 intermediate certificate authorities \n - 10 certificate templates |
| Secret groups | 200 per instance |
| Total secrets | No limit per instance |
| {: caption="{{site.data.keyword.secrets-manager_short}} limits per instance" caption-side="top"} |
{: #secret-limits}
Review the following table to understand the limits that apply to secrets of different types.
{: #secret-group-limits}
The following limits apply to secret groups.
| Attribute | Limit |
|---|---|
| Name | 2 - 64 characters |
| Description | 2 - 1024 characters |
| Labels | 2 - 64 characters \n \n 30 labels per secret group |
| Total secrets | – |
| {: caption="Secret group limits" caption-side="top"} |
{: #arbitrary-secret-limits}
The following limits apply to arbitrary secrets.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters \n \n The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Secret value / payload | 1 MB |
| Labels | 2 - 64 characters \n \n 30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
| {: caption="Arbitrary secret limits" caption-side="top"} |
{: #iam-credential-limits}
The following limits apply to IAM credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters \n \n The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Access groups | 1 - 10 groups |
| Labels | 2 - 64 characters \n \n 30 labels per secret |
| Time-to-live (TTL) / lease duration | Minimum duration is 1 minute. Maximum is 90 days. |
| Versions | 2 versions per secret (current and previous) \n \n A secret version can be retrieved, rotated, or restored only if the defined time-to-live (TTL) or lease duration wasn't reached. For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
| {: caption="IAM credential limits" caption-side="top"} |
{: #key-value-limits}
The following limits apply to key-value secrets.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters \n \n The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Secret value / payload | 512 KB |
| Labels | 2 - 64 characters \n \n 30 labels per secret |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
| {: caption="Key-value limits" caption-side="top"} |
{: #certificates-limits}
The following limits apply to imported, private, or public certificates.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters \n \n The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Certificate | 100 KB \n \n Supported file type is .pem. The certificate must be a valid, X.509-based certificate. |
| Private key | 100 KB \n \n Private key file is limited to PEM-formatted content. If provided, the private key must match the certificate that you are importing. Only unencrypted private keys are supported. |
| Intermediate certificate | 100 KB \n \n Supported file type is .pem. If provided, the intermediate certificate must be a valid, X.509-based certificate. |
| Labels | 2 - 364characters \n \n 30 labels per secret |
| Versions | 2 versions per certificate (current and previous) \n \nFor auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
| {: caption="TLS certificate limits" caption-side="top"} |
{: #user-credential-limits}
The following limits apply to user credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters \n \n The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Username | 2 - 64 characters |
| Password | 6 - 256 characters |
| Labels | 2 - 64 characters \n \n 30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
| {: caption="User credential limits" caption-side="top"} |
{: #service-credential-limits}
The following limits apply to service credentials.
| Attribute | Limit |
|---|---|
| Name | 2 - 256 characters \n \n The name of the secret can contain only alphanumeric characters, dashes, and dots. It must start and end with an alphanumeric character. |
| Description | 2 - 1024 characters |
| Labels | 2 - 64 characters \n \n 30 labels per secret |
| Versions | For auditing purposes, the service retains the metadata of up to 50 versions for each secret, which you can review as part of a secret's version history. |
| Locks | 1000 |
| Custom metadata | 10 KB |
| Version custom metadata | 10 KB |
| {: caption="Service credential limits" caption-side="top"} |