- The ephemeral policy can only be applied to a secret at creation, and cannot be removed once applied.
- If applied to a secret, all its versions inherit their settings from the policy.
Concepts
Disabling a version
Disabling a version is the action of temporarily revoking access to the data contained within a specific version. This prevents any users and applications from accessing your data.
Enabling a version
Enabling a version is the action of making the data contained within the version accessible for retrieval by authorized users and applications. This allows you to manage access to your data and control which versions are accessible, at any time.
Ephemerality properties
When applying an ephemeral policy to your secret, you must define at least one ephemerality property:
- Single access: allows you to set your secret versions to expire after one single access.
- Time to Live: allows you to set a time frame of up to one year, during which your secret versions are valid and accessible.
Ephemeral policy
An ephemeral policy is a statement that defines the lifetime of a secret and its versions, using either the Single access or the Time to Live ephemerality properties. The ephemeral policy also allows you to decide whether to disable or delete your secret’s versions, once the versions have expired.
Ephemeral secret
An ephemeral secret is a secret that has a limited lifetime, enforced by an ephemeral policy. All the secret’s versions automatically inherit their settings from those of the current ephemeral policy.
Path
A path refers to the directory structure to access your secrets and their versions. Each path is prefixed with a slash.
For example, if you create a secret my-secret
within the path /my-path
, your secret can be accessed at the /my-path/my-secret
path.
- A path can only contain names of 1 to 255 alphanumeric characters, dots, underscores, and dashes.
- If you leave the path name field empty when creating your secrets, the default path will be
/
. Your secrets and versions will be stored under the/
path.
PEM
A PEM or Privacy Enhanced Mail file is a security certificate file used to establish a secure communication channel between a web server and a browser. It is encoded in Base64 and may contain a private key, a server certificate and/or a combination of other certificates.
Region
A region is the geographical area in which your secrets, and versions are stored and run. They are duplicated on all Availability Zones of the selected region (Paris, Amsterdam, or Warsaw).
Secret Manager allows you to select your resources by region. This allows you to better sort through your resources, if you have created them in different regions but with the same name, for example.
Secret
Secrets are logical containers made up of zero or more immutable versions, that hold sensitive data. Upon creation, you can choose between 6 secret types. The default secret type is the opaque
one.
The secret versions must be of the same type as the secret.
Secret Manager
Secret Manager is a solution that provides a centralized location where your secrets can be stored and accessed. Its primary purpose is to securely store secrets, thus eliminating the need for developers to hard code sensitive information in applications or configuration files.
With Secret Manager, you can also share sensitive data such as passwords, API keys, and certificates.
Scaleway’s Secret Manager can be managed using APIs and the Scaleway CLI, which allow authorized applications or services to retrieve secrets securely. This enables you to automate a deployment by fetching your passwords stored on Secret Manager through the API, and storing them in your environment variables, which will then be used by your application.
Secret protection
Secret protection is a feature that prevents the deletion of your secrets. Users holding the SecretManagerFullAccess
, SecretManagerSecretWrite
, and AllProductsFullAccess
permission sets can enable it, ensuring that although your secrets can be accessed and modified, they remain impossible to delete.
This ensures the protection of critical information against accidental deletion while maintaining secret management flexibility.
Although a protected secret cannot be deleted, its versions can.
Secret types
Secret types refer to the different kinds of sensitive data you can store with Secret Manager. Using secret types guarantees that all mandatory fields are present, facilitates the application of specific policies, and enhances integration with other products. The following secret types are available:
-
Opaque: this secret type is used for storing any kind of sensitive data. By default, secrets are opaque.
-
Database credentials: this secret type is used to securely store and manage the credentials required for accessing a database. These credentials include a username, a password, and other relevant information such as the engine, the host, the database name, and port.
-
SSH key: this secret type is used to store and manage SSH keys, which are used for authenticating and establishing secure connections between clients and servers over the SSH (Secure Shell) protocol. SSH keys are a pair of cryptographic keys – a private key and a public key – used to authenticate a user or service without requiring a password. With Secret Manager, only your SSH key’s private key is required.
-
SSL/TLS certificate: this secret type is used to store and manage SSL/TLS certificates, which are used to establish secure, encrypted connections between clients and servers over the internet.
-
Key/value: this secret type is used to store and manage secrets in a simple dictionary-like structure, where each secret is represented as a key-value pair.
-
Username/password: this secret type is used for authentication purposes. It typically includes two pieces of information: a username and a corresponding password. These credentials are used to authenticate a user or service to access a particular system, application, or resource.
Upon secret creation, you must choose a secret type that will also be applied to the secret version. All the secret’s subsequent versions must be of the same type.
Tag
Tags allow you to organize your secrets. This gives you the possibility of sorting and filtering your secrets in any organizational pattern of your choice, which in turn helps you arrange, control, and monitor your secrets.
Version
Versions store the data contained in your secret (API keys, passwords, or certificates). Versions can be enabled or disabled depending on your usage. Versions must be of the same type as the secret they belong to.