How does OCI Vault secret rotation work?

OCI Vault supports manual secret rotation by creating new secret versions. Each version gets a unique version number and can be assigned staging labels like CURRENT and PREVIOUS. When you create a new version, it automatically becomes CURRENT and the old version moves to PREVIOUS. You can reference secrets by version number or staging label, allowing applications to always fetch the latest version. Automated rotation requires integrating with OCI Functions to periodically update the secret content.

What content types does OCI Vault support for secrets?

OCI Vault supports BASE64-encoded content for all secret types. You encode your plaintext secret (password, API key, certificate, or any binary content) as a Base64 string before storing it. The Vault encrypts the content using the master encryption key you specify. When retrieving the secret, the API returns the Base64-encoded ciphertext that your application decodes. The maximum secret size is 25 KB per version.

OCI Vault Secret Builder

IAM & SecurityOCI

Build OCI Vault secret configurations with encryption keys and rotation policies.

OCI Vault Configuration

Build OCI Vault secret configurations with encryption keys, content, and rotation rules.

Required Fields

compartmentIdvaultIdkeyIdsecretNamesecretContent

Generated Output

Output will appear here...

About This Tool

OCI Vault is a managed key management and secrets storage service that lets you centrally manage encryption keys and secret credentials. Creating secrets requires specifying the correct compartment, vault, encryption key, content type, and base64-encoded value along with optional metadata and expiration rules. This tool guides you through building Vault secret configurations with proper encoding, rotation rules, and access policies. It generates configurations compatible with the OCI CLI, Terraform OCI provider, and the REST API.

When to Use This Tool

•Building Vault secret definitions for database passwords with automatic rotation schedules and expiration dates
•Generating Terraform configurations for secrets that include version metadata and compartment-specific access rules
•Creating secrets with proper base64 encoding for binary content like TLS certificates or SSH private keys
•Configuring secret bundles with multiple versions and staging labels for blue-green deployment credential rotation

Frequently Asked Questions

How does OCI Vault secret rotation work?: OCI Vault supports manual secret rotation by creating new secret versions. Each version gets a unique version number and can be assigned staging labels like CURRENT and PREVIOUS. When you create a new version, it automatically becomes CURRENT and the old version moves to PREVIOUS. You can reference secrets by version number or staging label, allowing applications to always fetch the latest version. Automated rotation requires integrating with OCI Functions to periodically update the secret content.
What content types does OCI Vault support for secrets?: OCI Vault supports BASE64-encoded content for all secret types. You encode your plaintext secret (password, API key, certificate, or any binary content) as a Base64 string before storing it. The Vault encrypts the content using the master encryption key you specify. When retrieving the secret, the API returns the Base64-encoded ciphertext that your application decodes. The maximum secret size is 25 KB per version.

Related Learning Guides

OCI Security Best Practices24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.