Open in app

Sign in

Write

Sign in

Monitor your secret/certificates expiry using IBM Cloud Event Notifications

Pradeep Gopalgowda
6 min readMar 7, 2022

Let’s assume you are using a TLS certificates/secrets and you want to monitor the expiry date or any updates on the secrets/certificates. You can send an Email, SMS, Webhook or Push Notifications to your end users using IBM Cloud Event Notifications.

What is IBM Cloud Event Notifications?

IBM Cloud® Event Notifications is an event notification routing service that notifies you to critical events that occur in your IBM Cloud account or triggers automated actions by using webhooks. You can filter and route event notifications from IBM Cloud services like Availability Monitoring, to email, SMS, push notifications and webhooks.

How events are sent by Secrets Manager?

When an event of interest takes place in your Secrets Manager instance, Secrets Manager communicates with a connected Event Notifications instance to forward a notification to a supported destination.

How events are sent by Secrets Manager

In this tutorial you will configure the following flow:

  1. An alert is raised in IBM Cloud Secrets Manager.
  2. IBM Cloud Secrets Manager sends a notification to IBM Cloud Event Notifications.
  3. IBM Cloud Event Notifications creates an email and sends the email to the subscribed user.

Secrets Manager aggregates a list of your pending notifications by event type, the type of secret and expiry details if they apply. Every 1–2 minutes, the service checks for and dispatches any pending notifications to the connected Event Notifications service. For example, you might receive notifications that are similar to the following messages:

  • You have 5 public certificate secrets that expire in 10 days.
  • You have 100 imported certificate secrets that expire in 30 days.

Note: 100 is the maximum number of secrets that you can be notified of in a single event notification.

Step 1: Create an IBM Cloud Event Notifications service instance

  1. Log in to your IBM Cloud account.
  2. In the IBM Cloud catalog, search Event Notifications > Event Notifications.
  3. Select a Region from the list of supported region and Select a pricing plan.
  4. Provide a Service name.
  5. Select a resource group.
  6. Click Create.
IBM Cloud Event Notifications

Step 2: Create an IBM Cloud Secrets Manager service instance

  1. In the IBM Cloud catalog, search Secrets Manager > Secrets Manager.
  2. Select a Region from the list of supported region and Select a pricing plan.
  3. Provide a Service name.
  4. Select a resource group.
  5. Click Create.
Secrets Manager

Step 3: Connecting to IBM Cloud Event Notifications in the Secrets Manager UI

  1. From the Secrets Manager instance, click Settings.
  2. In the Event Notifications section, click Connect.
  3. In the side panel, review the source details for the connection. Optionally, provide a description.
  4. Select the resource group and Event Notifications service instance that you want to connect.
  5. If an IAM authorization between Secrets Manager and Event Notifications doesn’t exist in your account, a dialog is displayed. Follow the prompts to grant access between the services.

To grant access between Secrets Manager and Event Notifications, click Authorize.

In the side panel, select Event Notifications as the target service.

From the list of instances, select the Event Notifications service instance that you want to authorize.

Select the Event Source Manager role.

Click Review.

Click Assign.

6. To confirm the connection, click Connect.

A success message is displayed to indicate that Secrets Manager is now connected to Event Notifications.

Connecting to IBM Cloud Event Notifications

Step 3: Verify the Secrets Manager source in IBM Cloud Event Notifications

1. Click the menu icon > Resource list.

2. Open Services and software.

3. Open the IBM Cloud Event Notifications instance you created.

4. Click Sources.

When you connect to Event Notifications in the Secrets Manager UI, a source, with the same name as your Secrets Manager instance name, is automatically added to your IBM Cloud Event Notifications Sources list.

Secret Manager as a source

Step 4: Create an IBM Cloud Event Notifications Destination

In this step you will make sure that an email destination exists where notifications will be forwarded.

  1. Click Destinations.
  2. Notice in the Destinations list that, by default, there is an IBM Cloud Email service defined. You do not need to do anything else to configure an email destination.

Note: If you wanted to add a webhook as a destination, you would click Add and provide the appropriate information in the Add a destination panel.

Email Destination

Step 5: Create an IBM Cloud Event Notifications topic

Next you will define an IBM Cloud Event Notifications topic that will receive an event from Secret Manager.

1. Click Topics.

2. Click Create. The Topic details panel opens.

3. In the Topic details enter the following:

  • Enter the Name for your topic. For example, MonitorSecretExpiry.
  • For Source select the IBM Cloud Event Notifications source, which is named the same as your Secrets Manager instance.
  • Select an Event Type. For this tutorial select Secret about to expire.
  • Select an Event subtype. For this tutorial select Secret expire in 10 days.
  • Select a Severity. For this tutorial select High Severity.

4. Click Add a condition. (If you do not click Add a condition before you click Create, the topic will be created with no conditions associated with it.)

5. Click Create. Your topic will be displayed in the Topics list.

Note: Click Add a condition without selecting any Event Type to send the test event from Secrets Manager UI.

Create a topic

Step 6: Create an IBM Cloud Event Notifications Email Subscription

In this step you will configure who will receive an email when a notification is processed.

  1. Click Subscriptions.
  2. Click Create. The Create a subscription panel opens.
  3. In the Create a subscription panel enter the following:
  • Enter the Name for your subscription. For example, SecretExpirySubscription.
  • For Topic select the topic you created. For example, MonitorSecretExpiry.
  • For Destination select IBM Cloud Email service.
  • For Recipients enter a valid email address, for example, MyEmail@MyCompany.com

4. Click Create. Your subscription will be added to the Subscriptions list.

Create a Subscription

Step 7: Sending test event from Secret Manager UI

In this step you will send test event from Secret Manager UI.

1. Click the menu icon > Resource list.

2. Open Services and software.

3. Open the Secrets Manager instance you created.

4. Click Settings.

5. Click on send test event.

You should start receiving email notifications at the email address that you configured whenever the criteria defined in both Secrets Manager and IBM Cloud Event Notifications match.

Email Notification
Cloud
Security
Compliance
Secrets
Notifications

--

--

Pradeep Gopalgowda

Written by Pradeep Gopalgowda

35 Followers

DevSecOps Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams