Build OCI Vault secret configurations with encryption keys and rotation policies.
Last verified: May 2026
Build OCI Vault secret configurations with encryption keys, content, and rotation rules.
Required Fields
compartmentIdvaultIdkeyIdsecretNamesecretContentOutput will appear here...OCI Vault is a managed key management and secrets storage service that lets you centrally manage encryption keys and secret credentials. Creating secrets requires specifying the correct compartment, vault, encryption key, content type, and base64-encoded value along with optional metadata and expiration rules. This tool guides you through building Vault secret configurations with proper encoding, rotation rules, and access policies. It generates configurations compatible with the OCI CLI, Terraform OCI provider, and the REST API.
OCI Vault supports manual secret rotation by creating new secret versions. Each version gets a unique version number and can be assigned staging labels like CURRENT and PREVIOUS. When you create a new version, it automatically becomes CURRENT and the old version moves to PREVIOUS. You can reference secrets by version number or staging label, allowing applications to always fetch the latest version. Automated rotation requires integrating with OCI Functions to periodically update the secret content.
OCI Vault supports BASE64-encoded content for all secret types. You encode your plaintext secret (password, API key, certificate, or any binary content) as a Base64 string before storing it. The Vault encrypts the content using the master encryption key you specify. When retrieving the secret, the API returns the Base64-encoded ciphertext that your application decodes. The maximum secret size is 25 KB per version.
Your team is migrating 50 application secrets from environment variables in a Helm chart to OCI Vault. The builder generates Terraform for all 50 secrets in a structured form: compartment + vault + key references identical, secret names following a {env}_{app}_{purpose} convention. You reference them in OKE pods via the OCI CSI driver to mount as files. Migration time: 2 days vs the week-long estimate of hand-crafting each secret + Terraform.
The builder constructs OCI Vault secret resources with: compartment OCID, vault OCID, encryption key OCID, secret name, secret content (base64-encoded), content type, optional rotation rule, and optional secret rules (e.g., min secret length). Output is generated as oci vault secret create-base64 commands, Terraform oci_vault_secret resources, and example application code in Python/Node/Java showing how to fetch and decode the secret at runtime.
OCI Vault is one of the more reasonably priced secret managers across cloud providers — about $0.0125 per 10K API calls and ~$0.04 per secret per month. Compared to AWS Secrets Manager at $0.40/secret/month, this is dramatically cheaper at scale (1000 secrets = $40 vs $400/month).
The 25 KB max secret size is enforced strictly. For larger secrets (e.g., kubeconfig files, large certificate chains), split into multiple secrets and reassemble at runtime. Don't try to compress or chunk in clever ways — the operational complexity isn't worth it.
Always use the staging label `CURRENT` in your applications, not specific version numbers. This way, when you rotate the secret (creating a new version that becomes CURRENT), the application picks it up on the next fetch with no code change. Hard-coding version numbers turns rotation into a deploy-required operation.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.