IBM Cloud Secrets Manager, powered by HashiCorp Vault, is the only centralized secrets and certificate management solution purpose built for IBM Cloud environments. Designed with security and scalability in mind, it offers single tenant data-plane isolation, event-driven notifications, automatic secret rotation, and context-based access restrictions—all to help you safeguard sensitive data with confidence.
Whether you're managing API tokens, database credentials, TLS certificates, or cloud access keys, Secrets Manager provides a flexible and resilient platform to handle secrets across your IBM Cloud infrastructure.
Added to these established functionalities is a new feature known as custom credentials, a powerful new secret type that lets you integrate with virtually any credentials provider.Custom credentials gives you full control over how you define, store, and manage secrets in your environment
🔓 What Are Custom Credentials?
Custom credentials allow you to define how Secrets Manager retrieves and manages secrets from external providers.
At the heart of this capability is an IBM Cloud Code Engine job— a lightweight, containerized bridge between Secrets Manager and your credentials provider, allowing you to:
- Connect to any provider that exposes an API or secret
- Implement custom logic for secret retrieval
- Enable automatic or manual rotation
- Leverage built-in features like versioning, expiration, notifications, and audit logging
🔄 Real world use cases
Here are just a few ways custom credentials can be supported and used:
|
Description
|
Example Provider or Tool
|
|
Securely rotate and manage tokens used in CI/CD pipelines
|
Jenkins API tokens, GitHub/GitLab tokens, Terraform Cloud API keys
|
|
Automatically rotate database passwords used by applications
|
PostgreSQL/MySQL credentials, MongoDB Atlas API keys, Data warehouse credentials
|
|
Manage access to cloud services dynamically
|
IBM Cloud API keys, AWS/GCP/Azure credentials, Slack tokens
|
|
Generate short-lived secrets for test environments
|
Ephemeral credentials, Mock API keys
|
|
Rotate tokens used to pull/push artifacts in CI/CD
|
Artifactory access tokens, PagerDuty API tokens, Sentry or Datadog API keys
|
|
Interface with legacy systems that expose secrets via custom APIs
|
Internal credential brokers, On-prem services
|
🛠 Get Started with our GitHub toolkit
To make building your own credential providers easier, we’ve launched a developer-focused GitHub repository that includes: :
- ✅ Ready-to-use templates and tools
- 🔄 Reusable provider implementations
- 🤝 A space to contribute and collaborate
We're starting with support for Artifactory and PostgreSQL and actively inviting the community to help expand support for additional providers.
👉 Explore the GitHub repo
🌟 Ready to Build?
Custom credentials can help you scale your secret management securely and flexibly. Whether you're modernizing legacy systems, building cloud-native apps, securing access to internal tools, or integrating with third-party services, this new feature gives you the control you need.
To ensure you can get started with custom credentials quickly, check that your automation tools are up to date:
- IBM Secrets Manager CLI
- SDKs
- Terraform provider
📘 Refer to the full documentation for a step-by-step guide to implementing your first custom credentials engine.
❓ Frequently Asked Questions
What is a custom credentials engine configuration?
A customizable set of parameters that define how a secret interacts with a credentials provider—powered by a Code Engine job.
What is a Code Engine job in this context?
It’s the logic layer that connects Secrets Manager to your credentials provider, using the Secrets Manager API to fetch and manage secrets dynamically.
What types of credential providers can I use?
Anything with an API or secret interface—databases, cloud services, internal tools, and more.
- jFrog Artifactory access tokens
Learn More about IBM Cloud Secrets Manager here
Learn More about IBM Cloud Code Engine here