Updating a Secret's Rules
Learn how to edit a rule for a secret stored in an OCI vault.
Replicated secrets are read-only. When you update the rules for a source secret, the replica is updated at the same time. See Replicating Secrets for more information.
- On the Secrets list page, find the secret that you want to work with. If you need help finding the list page, see Listing Secrets.
- Select the name of the secret to view its details page.
- Select the Secret Rules tab, then select Edit Rules.
- In the Edit Rule panel, edit the following:
- Rule Type: You can specify Secret Reuse Rule or Secret Expiry Rule. At most, you can have one of each. If you already have one rule, but want to add another, select + Another Rule.
- Configuration (reuse rule only): When the secret reuse rule is applied to a secret, you can't reuse secret contents across different versions of a secret. You can either enforce the reuse rule for deleted secrets versions, or you can allow the reuse of vault secret contents from deleted secret versions.
- Version expiry interval (days) (expiry rule only): You can set how often you want secret contents to expire. Expiration of individual secret versions is represented by a period of 1 to 90 days that you can specify with the arrow buttons or entering a number.
- Secret absolute UTC time of expiry and Time (expiry rule only): : Expiration of the secret itself is represented by an absolute time and date between 1 to 365 days from the current time and date. Specify this date by using the date picker. You can configure expiry values for both the secret version and secret or only one of the two. (It's possible to clear the secret version expiry interval, but you must delete the entire expiry rule and start over to set an absolute time to expire the secret.)
- Content retrieval (expiry rule only): Use this setting to allow or block the retrieval of secret contents after the secret has expired.
- To delete a rule select the X next to the rule.
- Select Save Changes.
Use the oci vault secret update or oci vault secret update-base64 command and required parameters to edit a secret's configured rules:
oci vault secret update --secret-id <target_secret_id> --secret-rules <secret_rules_in_JSON_format>For example:
oci vault secret update --secret-id ocid1.vaultsecret.oc1.iad.exampleaz5qacpqahuecvbjqzql4qmpbrtd7pprafhivcfik6wuitexample --secret-rules '[{"isEnforcedOnDeletedSecretVersions":"true","ruleType":"SECRET_REUSE_RULE"}]'You can specify a secret reuse rule or a secret expiry rule. At most, you can have one of each rule type.
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Use the UpdateSecret API with the Management Endpoint to update the rules of a secret.
Note
The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGEMENT endpoint.
The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.
You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.
For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.