DEV Community

Cover image for How to Use IBM Cloud Secrets Manager and Trusted Profiles for Secure App Authentication
Mohamed Eshaftri
Mohamed Eshaftri

Posted on

How to Use IBM Cloud Secrets Manager and Trusted Profiles for Secure App Authentication

#ai #programming #security #ibmcloud

Storing secrets such as API keys, passwords, and certificates directly in application code poses serious security risks. IBM Cloud Secrets Manager provides a centralized, secure vault to manage secrets, while Trusted Profiles offer a way for applications to authenticate without using static API keys.

What is IBM Cloud Secrets Manager?

IBM Cloud Secrets Manager enables you to:

  • Store secrets like API keys, credentials, and certificates
  • Encrypt secrets using IBM Key Protect or Hyper Protect Crypto Services
  • Define fine-grained access policies using IBM IAM
  • Enable automatic secret rotation for supported types

What is a Trusted Profile?

A Trusted Profile is an IAM identity in IBM Cloud that allows compute resources (such as Code Engine, VPC, and VSI) to authenticate securely without using an API key. A temporary IAM token is injected automatically into the runtime environment, enabling credential-free authentication and secure service access.

Why Use Trusted Profiles with Secrets Manager?

Benefit Description
No API key needed Tokens are auto-injected in runtime
Scoped IAM access Assign only the permissions you need
Secret rotation ready Secrets Manager supports rotation for select secret types
Best practice security Eliminates static credentials and supports audit tracking

In this guide, you’ll learn how to:

  1. Set up IBM Cloud Secrets Manager
  2. Create and use a Trusted Profile
  3. Access secrets securely from your app
  4. Enable automatic secret rotation
  5. Try it out using a 👉 real-world example on GitHub nextjs-codeengine-secrets

Step-by-Step Guide

Step 1: Create a Secrets Manager Instance

  1. Log in to IBM Cloud Console
  2. Navigate to Secrets Manager > Create
  3. Choose a region and resource group
  4. Enable secret engines (e.g., arbitrary, IAM credentials)
  5. Once provisioned, create a test secret (e.g., DB password) 
# Log in to IBM Cloud
ibmcloud login -r <REGION> -g <RESOURCE_GROUP>

# Create the Secrets Manager instance
ibmcloud resource service-instance-create <INSTANCE_NAME> secrets-manager standard <REGION> \
  --resource-group <RESOURCE_GROUP>
Enter fullscreen mode Exit fullscreen mode

Step 2: Create a Trusted Profile

  1. Go to Manage > IAM > Trusted Profiles
  2. Click Create Trusted Profile
  3. Select the resource type (e.g., Code Engine)
  4. Associate it with a resource group
  5. Name it something like my-app-profile 
# Create a Trusted Profile using the variable
ibmcloud iam trusted-profile-create <TRUSTED_PROFILE_NAME> \
  --description "Trusted Profile for Next.js app to access Secrets Manager"

# Assign the trusted profile to a Code Engine app
ibmcloud ce app update --name my-app \
  --trusted-profile <TRUSTED_PROFILE_NAME>
Enter fullscreen mode Exit fullscreen mode

Step 3: Assign IAM Access Policies

Attach access policies to your Trusted Profile:

  • Service: secrets-manager
  • Role: Reader
  • Resource scope: Select the Secrets Manager instance or resource group 
# Grant Reader access on Secrets Manager to a Trusted Profile
ibmcloud iam authorization-policy-create secrets-manager Reader \
  --source-service-name iam-profile \
  --source-resource-instance-name <TRUSTED_PROFILE_NAME> \
  --target-resource-instance-name <SECRETS_MANAGER_INSTANCE_NAME>
Enter fullscreen mode Exit fullscreen mode

Step 4: Add Code Engine as a Trusted Compute Resource

This step enables Code Engine to authenticate using the Trusted Profile.

If you're deploying in IBM Cloud Code Engine Enable "Use trusted profile"

  1. In your Trusted Profile, go to the Compute Resources tab
  2. Click Add → Select Code Engine
  3. Paste your Code Engine App CRN (you can find this in your Code Engine app's detail page)
  4. Enable "Use trusted profile" in the Code Engine project 
# Get Your Code Engine App CRN
ibmcloud ce app get --name <CN_APP_NAME> --output json | jq -r '.crn'

# Add Code Engine CRN to the Trusted Profile
ibmcloud iam trusted-profile-compute-resource-add <TRUSTED_PROFILE_NAME> \
  --compute-resource crn:v1:bluemix:public:codeengine:<REGION>:<ACCOUNT_ID>:project:<CN_PROJECT_ID>:app:<CN_APP_NAME> \
  --compute-resource-type code_engine

# Enable Trusted Profile in Code Engine App
ibmcloud ce app update --name <CN_APP_NAME> \
  --trusted-profile <TRUSTED_PROFILE_NAME>
Enter fullscreen mode Exit fullscreen mode

Step 5: Access Secrets in Your App

Use the IBM SDK to fetch secrets using the IAM token injected into the environment by your Trusted Profile:

// Import the IBM Secrets Manager SDK
import SecretsManager from "@ibm-cloud/secrets-manager/secrets-manager/v2.js";

// Import ContainerAuthenticator for use with Trusted Profiles in IBM Cloud environments
import { ContainerAuthenticator } from "ibm-cloud-sdk-core";

// Create a ContainerAuthenticator using the Trusted Profile name provided via environment variable
const authenticator = new ContainerAuthenticator({
  iamProfileName: process.env.SM_TRUSTED_PROFILE_ID, // e.g., "my-codeengine-profile"
});

// Initialize the Secrets Manager client
const secretsManager = new SecretsManager({
  authenticator, // Uses the trusted profile to get a temporary IAM token
  serviceUrl: process.env.SM_SERVICE_URL, // URL of your Secrets Manager instance (e.g. https://eu.de.secrets-manager.appdomain.cloud)
});

// Export the configured Secrets Manager client
export default secretsManager;
Enter fullscreen mode Exit fullscreen mode

Fetches a secret from IBM Cloud Secrets Manager in production.

export async function getSecret(secretId) {
  const response = await secretsManager.getSecret({
    secretType: "arbitrary", // Or 'username_password', 'iam_credentials', etc.
    id: process.env.SECRET_ID,
  });

  return response.result.data;
}
Enter fullscreen mode Exit fullscreen mode

Secret Rotation with Secrets Manager

IBM Cloud Secrets Manager supports automatic rotation for:

  • IAM credentials
  • Database credentials
  • Supported engine types (e.g., Cloudant, PostgreSQL)

You can:

  • Define rotation intervals (e.g., every 30 days)
  • Use APIs or UI to configure rotation
  • Automatically keep secrets fresh without redeploying apps

This reduces operational risk and ensures that credentials are up to date.

Bonus: Accessing Watsonx Services Using Trusted Profiles

Step 1: Create the Service ID

  • In the IBM Cloud console open Manage → Access (IAM) → Service IDs.
  • Click Create → give the Service ID a clear name such as watsonx-ce-sid, add an optional description, then Create.

Step 2: Link the Service ID to your Trusted Profile

  • Go to Manage → Access (IAM) → Trusted Profiles and open your existing profile (e.g. my-app-profile).
  • In the profile, choose the Service IDs tab (labelled “Trusted entities › Service IDs”).
  • Click Add → in the Service ID drop-down select watsonx-ce-sid you created earlier → Add → Save.

Conclusion

By combining IBM Cloud Secrets Manager with Trusted Profiles, you unlock a secure and flexible way to manage application secrets without hardcoded credentials.

This approach offers:

  • Token-based authentication
  • Seamless secret retrieval at runtime
  • Automatic rotation support
  • Improved compliance and security

Top comments (0)