Key Concepts
This section describes the core components and policies that make up the KakaoCloud Secrets Manager service. Understanding these concepts will help you use Secrets Manager more effectively.
Secret
The most basic resource unit stored and managed in the Secrets Manager service. A secret acts as a container for sensitive information such as database credentials, API keys, or plain text. It consists of a unique name (ARN), metadata, and multiple versions of values.
Secret version
A unique data unit created each time the value of a secret is updated. Every version has a unique ID, and Secrets Manager designates the latest version as the default version to be used as the currently active value.
Secret state
A secret can have multiple versions, and each version is managed by its own state. The actual availability of a secret depends on the state of its versions.
| State | Description |
|---|---|
Active | The version is active and is the only state in which encryption and decryption can be performed. - New versions are created in the active state and set as the default version. |
Deactivated | The version is deactivated, temporarily suspending its use. - Use this state when suspicious activity is detected or when applications must be temporarily suspended. - If all versions are deactivated or destroyed, the secret is automatically deactivated. - Deactivated is not permanent and can be switched back to active at any time. |
Destroyed | The version is permanently deleted and cannot be recovered. - Once all versions of a secret are destroyed, the secret itself can be permanently deleted. |
Access control
You can strengthen secret security by using access control.
As the owner, the secret creator has access and management permissions for the secrets they created while their IAM role is maintained.
- Enabled: You can configure allowed subjects. Configurable subjects include users, groups, service accounts, and service agent accounts in the same project. Actual permissions follow their IAM roles.
- Disabled: Subjects with the IAM role required to use the secret can access the secret.
Roles
The Secrets Manager service uses a Role-Based Access Control (RBAC) model to securely and systematically manage access permissions for secret resources. IAM assigns roles to users to restrict them to only the allowed operations.
Secrets Manager Viewer
Has permission to view resources in a project, including secret lists, states, and version information. However, this role cannot view secret values or perform cryptographic or management tasks such as creating secrets or changing states.
- To view KMS key information, the KMS Viewer role or higher is also required.
Secrets Manager Manager
Includes secret view permissions and can perform Secrets Manager management tasks in a project, such as creating, modifying, deleting, and updating secret values. To use KMS keys for secret encryption, the KMS User role or higher is required.
- To encrypt and decrypt secrets using KMS keys, such as when creating secrets, changing KMS keys, creating versions, or viewing secret values, the KMS User role or higher is also required.