Oracle Cloud Infrastructure Documentation

Configuring Cross-Region Secret Replication

Learn how to create cross-region replicas of secrets.

You can enable and configure cross-region replication for secrets in two ways:

  • During secret creation. See Creating a Secret for instructions.
  • After you have created a secret. Use the instructions in this topic to enable cross-region replication and specify up to 3 replicas in other regions, or to edit existing cross-region replication settings for the secret.
    1. On the Secrets list page, find the secret that you want to work with and select the name of the secret to open the details page. If you need help finding the list page, see Listing Secrets.
    2. Select Actions, then select Edit.
    3. In the Edit Secret panel, find the Cross-region replication section. If replication isn't already enabled for the secret, use the toggle switch to enable this feature.
    4. You can replicate the secret in up to 3 destination vaults. Provide the following information for each replica of the secret:
      • Destination Region: Select the region containing the destination vault for the replicated secret.
      • Destination Vault: Select the destination vault for the replicated secret.
      • Key: Select the encryption key that you want to use to encrypt the secret contents in the destination vault.

      Optionally, if you haven't already specified the maximum of 3 replicas for the secret, select Add item to add another, then provide the region, vault, and key details for the target destination vault.

    5. Select Update to save your changes to the secret.

  • Use the oci vault secret update or oci vault secret update-base64 command to update the replication settings of a secret, depending on the content type of the secret you're updating.

    oci vault secret update --secret-id <secret_OCID> --description <updated description>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Use the UpdateSecret API with the Management Endpoint to update the cross-region replication settings of a secret.

    Note

    The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGEMENT endpoint.

    The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

    You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

    For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.