Creating a Secret in a Vault

Create a secret in a vault. Secrets are credentials such as passwords, certificates, SSH keys, or authentication tokens that you use with Oracle Cloud Infrastructure services.

• Console
• CLI
• API

• 1. Open the navigation menu, click Identity & Security, and then click Vault.
  2. Under List scope, select the compartment in which you want to create a secret.

  3. Click the name of the vault in which you want to create a secret. If you need to create a new vault for the secret, follow the instructions in Create a Vault topic, and then click the name of the vault.

  4. Under Resources, click Secrets and then click Create Secret.
  5. In the Create Secret panel, provide the following details:
     • Enter a name to identify the secret. Avoid entering any confidential information.
     • Enter a brief description of the secret to help identify it. Avoid entering any confidential information.
     • Select the master encryption key that you want to use to encrypt the secret contents while they're imported to the vault. (The key must belong to the same vault. The key must also be a symmetric key. You cannot encrypt vault secrets with asymmetric keys.)
     • In the Secret Type Template, specify the format of the secret contents that you're providing by selecting a template. You can provide secret contents in plain-text when you use the Console to create a vault secret or vault secret version, but secret contents must be base64-encoded before they're sent to the service. The Console automatically encodes plain-text secret contents for you.
     • In Secret Contents, enter the contents of the secret. (The maximum allowable size for a secret bundle is 25 KB.)
     • To apply a rule to manage how vault secrets are used, click Show advanced options and then provide the following values on the Rules tab. You can either create a rule regarding the reuse of secret contents across versions of a secret, or you can create a rule specifying when the secret contents expire. For more information about rules, see Secret Rules.
       • Rule Type: Select Secret Reuse Rule or a Secret Expiry Rule. At most, you can have one of each. If you already have one rule, but want to add another, click + Another Rule.

       • Configuration(for reuse rule): Select to enforce the reuse rule so it applies even to deleted secrets versions, or allow reuse of secret contents from deleted secret versions.

       • Configuration (for Expiry rule): Set how frequently you want secret contents to expire and what you want to happen when the secret or secret version expires. Expiration of individual secret versions is represented by a period of 1 to 90 days that you can specify with the arrow buttons or entering a number. Expiration of the secret itself is represented by an absolute time and date between 1 to 365 days from the current time and date. Specify this date by using the date picker. You can configure expiry values for both the secret version and secret or just one of the two. (It's possible to clear the secret version expiry interval, but you must delete the entire expiry rule and start over if you want to set an absolute time to expire the secret.)

     • Optionally, to apply tags to the secret, click the Tagging tab. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. Click Create Secret.
• Note
  
  You must specify a symmetric key to encrypt the secret during import to the vault. You can't encrypt secrets with asymmetric keys. Furthermore, the key must exist in the vault that you specify.

  oci vault secret create-base64 --compartment-id <target_compartment_id> --secret-name <secret_name> --vault-id <target_vault_id> --description <secret_description_text> --key-id <encryption_key_id> --secret-content-content <base64_encoded_secret_content> --secret-content-name <unique_content_name> --secret-content-stage <secret_version_rotation_state>

  For example:

  
  oci vault secret create-base64 --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --secret-name testSecret --vault-id ocid1.vault.oc1.iad.exampleyaaeuk.examplesuxtdqxczlvygwk4ouq2mhzr223g4o2ojs4o4q4ghmt6rlexample --description "this is a test secret" --key-id ocid1.key.oc1.iad.exampleyaaeuk.abuwcvbrswr2nbvrraqomsmhopc74rlqupwyv3byhikd4577rrky7example --secret-content-content bXlwYXNzd29yZA== --secret-content-name testpassword1 --secret-content-stage CURRENT

  Avoid entering confidential information.

  For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

• Note
  
  You must specify a symmetric key to encrypt the secret during import to the vault. You can't encrypt secrets with asymmetric keys. Furthermore, the key must exist in the vault that you specify.

  oci vault secret create-base64 --compartment-id <target_compartment_id> --secret-name <secret_name> --vault-id <target_vault_id> --description <secret_description_text> --key-id <encryption_key_id> --secret-content-content <base64_encoded_secret_content> --secret-content-name <unique_content_name> --secret-content-stage <secret_version_rotation_state>

  
  oci vault secret create-base64 --compartment-id ocid1.compartment.oc1..example1example25qrlpo4agcmothkbgqgmuz2zzum45ibplooqtabwk3zz --secret-name testSecret --vault-id ocid1.vault.oc1.iad.exampleyaaeuk.examplesuxtdqxczlvygwk4ouq2mhzr223g4o2ojs4o4q4ghmt6rlexample --description "this is a test secret" --key-id ocid1.key.oc1.iad.exampleyaaeuk.abuwcvbrswr2nbvrraqomsmhopc74rlqupwyv3byhikd4577rrky7example --secret-content-content bXlwYXNzd29yZA== --secret-content-name testpassword1 --secret-content-stage CURRENT

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.