Menu Contact Sales Sign in to Oracle Cloud

OCI Secret Management Best Practices

Best practices topics

Access control and least privilege
Secret replication
Secret rotation

Access control and least privilege

How can I restrict access to secrets and enforce the principle of least privilege? What IAM policies should I use to control who can view, create, or modify secrets?

OCI uses IAM policies to grant fine-grained permissions. To promote security and enforce the principle of least privilege, you should:

Grant only the minimum permissions needed: Users, groups, or services should have only the permissions required for their role.
Segregate duties: Separate those who can view, create, and manage secrets from those who can use them.
Use groups/roles: Assign permissions to groups rather than individuals when possible to improve manageability and oversight.
Scope tightly: Use separate compartments per environment/application. Use dynamic groups for workloads (instances, OKE pods, functions).
Regularly review permissions: Periodically audit access and modify permissions as needed.

For more guidance, see the OCI reference documentation for IAM policies.

Secret replication

What’s the recommended approach to replicate a secret across all regions in my tenancy without manual intervention?

Enabling cross-region replication is recommended for all secrets, both for convenience and for disaster recovery purposes. In case of regional interruptions, cross-region replication allows you to retrieve secrets retrievable from one or more secondary regions.

First, select one or more secondary regions (up to three) to serve as target regions for replicating your secrets. It is recommended that these regions be consistent with the disaster recovery and business continuity plans you have in place for scenarios in which your primary region becomes inaccessible. A general disaster recovery best practice is to both make a replica that is geographically "near" and one that is geographically "far" from your primary region. You should also consider any compliance regulations your business must follow when assessing locations for your secondary regions.

Once you’ve selected the secondary regions, you must create or select a vault and a symmetric (AES) key in these regions for storing and encrypting the replica secrets. See the following documentation for details on vault and key creation:

Alternatively, you can replicate the vault and key used for your primary region's secrets to a secondary region. See Replicating Vaults for more details.

After you have selected vaults and keys for each of your planned secondary regions, we suggest that you update your process for creating secrets to include a ReplicationConfig, which will enable replication from the start. We also recommend using the ListSecrets API to retrieve the list of your existing secrets, then using the UpdateSecret API to add a ReplicationConfig to enable replication for each of them.

For more information on secret replication, including the necessary setup and Identity policies, see Replicating Secrets.

Secret rotation

What are the best practices for secret rotation in OCI? How and how often should I rotate secrets?

We recommend that you rotate your secrets at periodic intervals to help minimize the impact of compromised credentials, potentially reducing the likelihood of data breaches. Several compliance regulations also mandate secret rotation at regular intervals. In general, it’s recommended that secrets be rotated at a cadence of around 3 or 6 months. However, other compliance requirements may mandate more frequent rotations, such as once a month. Choose a rotation cadence that best fits your use case. With our Automated Rotations feature, you can rotate secrets in a cadence between 1 month and 12 months.

OCI Vault can automatically generate secrets on your behalf, with support for passwords, Secure Shell (SSH) keys, and random bytes. We also provide templatization during generation. This enables you to store Java Script Object Notation (JSON) blobs with placeholders for secrets that are automatically generated for you. For more information, see Creating a Secret in a Vault.

You can enable secret auto-rotation to set up an interval for periodically rotating your secrets. This feature integrates with the Autonomous Database and Functions services, allowing the seamless rotation of secrets used in Autonomous Database or function code. In OCI Functions, you can easily rotate any credential and execute code as part of the rotation process. Automatic rotation is also available for manually created secrets.

For more information, see Database Secret Rotation without Wallet Function and Database Secret Rotation with Wallet Function.

With support for functions, you can write custom functions that have rotation logic embedded within them to rotate secrets of any custom type. See Rotation Function Steps and Details for an outline of the logic recommended when you write your custom auto-rotation function.