SAP-docs · marc-niemella · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025
diff --git a/docs/sap-ai-core/create-a-generic-secret-1831845.md b/docs/sap-ai-core/create-a-generic-secret-1831845.md
@@ -37,7 +37,11 @@ SAP AI Core lets you optionally use generic secrets at the following levels:
 
 Generic secrets are different to system secrets \(such as object store, Docker registry, and so on\) and can be used to store sensitive information, either for the main tenant, for all of its resource groups, or for each resource group via an API. The latter can be attached to containers in executions or deployments as environment variables or volume mounts.
 
-Tenant-wide secrets are only automatically propagated to the appropriate resource group when a new execution or deployment is created. They are not propagated to running deployments.
+> ### Note: 
+> In order to allow rotation of Tenant-Wide secrets for long-running deployments without restarting the deployment, the following guidelines must be followed:
+> - The deployment MUST mount the Tenant-Wide secret. For more information see [Consume a Generic Secret as a Volume Mount](consume-generic-secrets-in-executions-or-deployments-185a324.md)
+> - The deployment MUST monitor the mounted secret for changes instead of relying on an in-memory copy of the secret read from the mount.
+> - When a Tenant-Wide secret is updated, the tenant is responsible for observing the response of /secrets/{secret-name} endpoint to ensure that the Replicator has successfully updated the secret in all resource groups.
 
 
 
@@ -100,7 +104,12 @@ SAP AI Core lets you optionally use generic secrets at the following levels:
 
 Generic secrets are different to system secrets \(such as object store, Docker registry, and so on\) and can be used to store sensitive information, either for the main tenant, for all of its resource groups, or for each resource group via an API. The latter can be attached to containers in executions or deployments as environment variables or volume mounts.
 
-Tenant-wide secrets are only automatically propagated to the appropriate resource group when a new execution or deployment is created. They are not propagated to running deployments.
+> ### Note: 
+> In order to allow rotation of Tenant-Wide secrets for long-running deployments without restarting the deployment, the following guidelines must be followed:
+> - The deployment MUST mount the Tenant-Wide secret. For more information see [Consume a Generic Secret as a Volume Mount](consume-generic-secrets-in-executions-or-deployments-185a324.md)
+> - The deployment MUST monitor the mounted secret for changes instead of relying on an in-memory copy of the secret read from the mount.
+> - When a Tenant-Wide secret is updated, the tenant is responsible for observing the response of /secrets/{secret-name} endpoint to ensure that the Replicator has successfully updated the secret in all resource groups.
+
 
 
 

diff --git a/docs/sap-ai-core/delete-a-generic-secret-d5d5187.md b/docs/sap-ai-core/delete-a-generic-secret-d5d5187.md
@@ -2,7 +2,7 @@
 
 # Delete a Generic Secret
 
-To get a secret name, see [List All Generic Secrets](list-all-generic-secrets-05a3713.md).
+To get a secret name, see [Get All Generic Secrets](get-generic-secrets-05a3713.md).
 
 <a name="task_i3h_n13_tcc"/>
 

diff --git a/docs/sap-ai-core/get-generic-secrets-05a3713.md b/docs/sap-ai-core/get-generic-secrets-05a3713.md
@@ -0,0 +1,130 @@
+<!-- loio05a3713aa6a94356b08e09e86260b16d -->
+
+# Get Generic Secrets
+
+Generic secrets can either be retrieved as a single secret, or you can list all existing secrets.
+
+
+
+<a name="task_i3h_n13_tcc"/>
+
+<!-- task\_i3h\_n13\_tcc -->
+
+## Using Curl
+
+
+
+<a name="task_i3h_n13_tcc__steps_p1m_clf_zcc"/>
+
+## Procedure
+### Get Secret:
+
+Submit a GET request to the endpoint `/v2/admin/secrets/<secret-name>`, and include the scope via the headers:
+
+-   `AI-Tenant-Scope` : `true`. The operation will be performed at the main-tenant level.
+-   `AI-Resource-Group` : <code><i class="varname">&lt;resource-group-name&gt;</i></code>. The operation will be performed at the resource-group level.
+-   `AI-Tenant-Scope` : `true` and `AI-Resource-Group`: `*`. The operation will be performed at the tenant-wide level.
+
+```
+curl --location --request GET "$AI_API_URL/v2/admin/secrets/$SECRET_NAME" \
+--header "Authorization: Bearer $TOKEN" \
+--header 'AI-Resource-Group: default'
+
+```
+
+### Get all Secrets: 
+Submit a GET request to the endpoint `/v2/admin/secrets`, and include the scope via the headers:
+
+-   `AI-Tenant-Scope` : `true`. The operation will be performed at the main-tenant level.
+-   `AI-Resource-Group` : <code><i class="varname">&lt;resource-group-name&gt;</i></code>. The operation will be performed at the resource-group level.
+-   `AI-Tenant-Scope` : `true` and `AI-Resource-Group`: `*`. The operation will be performed at the tenant-wide level.
+
+```
+curl --location --request GET "$AI_API_URL/v2/admin/secrets" \
+--header "Authorization: Bearer $TOKEN" \
+--header 'AI-Resource-Group: default'
+
+```
+<a name="task_i3h_n13_tcc__result_vck_3lf_zcc"/>
+
+## Results
+### Get Secret:
+The response contains the name, and the creation timestamp of the requested generic secrets. No sensitive information is revealed in the response.
+In the case of a tenant-wide secret, the response also includes a list of all resource groups associated with the tenant and the current replication status of the secret to these resource groups.
+
+```
+# Example response for a tenant-wide secret
+{
+  "name": "secret-1",
+  "createdAt": "<timestamp>",
+  "resourceGroupSecretReplicationStatus":{
+      "rg-id-1" : true,  # secret was replicated correctly in this namespace
+      "rg-id-2" : false, # secret was not replicated or does not exist in this namespace yet
+  }
+}
+
+```
+### Get all Secrets: 
+The response includes a list of generic secrets, their name, and their creation timestamp. No sensitive information is revealed in the response.
+
+<a name="task_cxf_n13_tcc"/>
+
+<!-- task\_cxf\_n13\_tcc -->
+
+## Using Postman
+
+
+
+<a name="task_cxf_n13_tcc__steps_bqv_vkf_zcc"/>
+
+## Procedure
+
+### Get Secret
+
+Send a GET request to the endpoint `{{apiurl}}/v2/admin/secrets/{{secret_name}}`.
+
+1.  As the request body, select the *none* radio button.
+
+2.  Specify the scope of the request via the header `AI-Tenant-Scope` or `AI-Resource-Group`:
+
+    -   `AI-Tenant-Scope` : `true`. The operation will be performed at the main-tenant level.
+    -   `AI-Resource-Group` : <code><i class="varname">&lt;resource-group-name&gt;</i></code>. The operation will be performed at the resource-group level.
+    -   `AI-Tenant-Scope` : `true` and `AI-Resource-Group`: `*`. The operation will be performed at the tenant-wide level.
+
+### Get all Secrets
+
+Send a GET request to the endpoint `{{apiurl}}/v2/admin/secrets`.
+
+1.  As the request body, select the *none* radio button.
+
+2.  Specify the scope of the request via the header `AI-Tenant-Scope` or `AI-Resource-Group`:
+
+    -   `AI-Tenant-Scope` : `true`. The operation will be performed at the main-tenant level.
+    -   `AI-Resource-Group` : <code><i class="varname">&lt;resource-group-name&gt;</i></code>. The operation will be performed at the resource-group level.
+    -   `AI-Tenant-Scope` : `true` and `AI-Resource-Group`: `*`. The operation will be performed at the tenant-wide level.
+
+
+
+
+<a name="task_cxf_n13_tcc__result_sxh_jlf_zcc"/>
+
+## Results
+### Get Secret:
+The response contains the name, and the creation timestamp of the requested generic secrets. No sensitive information is revealed in the response.
+In the case of a tenant-wide secret, the response also includes a list of all resource groups associated with the tenant and the current replication status of the secret to these resource groups.
+
+```
+# Example response for a tenant-wide secret
+{
+  "name": "secret-1",
+  "createdAt": "<timestamp>",
+  "resourceGroupSecretReplicationStatus":{
+      "rg-id-1" : true,  # secret was replicated correctly in this namespace
+      "rg-id-2" : false, # secret was not replicated or does not exist in this namespace yet
+  }
+}
+
+```
+### Get all Secrets: 
+The response includes a list of generic secrets, their name, and their creation timestamp. No sensitive information is revealed in the response.
+
diff --git a/docs/sap-ai-core/index.md b/docs/sap-ai-core/index.md
@@ -51,7 +51,7 @@
         -   [Delete a Docker Registry Secret](delete-a-docker-registry-secret-5ff30f0.md)
     -   Manage Generic Secrets
         -   [Create a Generic Secret](create-a-generic-secret-1831845.md)
-        -   [List All Generic Secrets](list-all-generic-secrets-05a3713.md)
+        -   [Get Generic Secrets](get-generic-secrets-05a3713.md)
         -   [Update a Generic Secret](update-a-generic-secret-b5d5970.md)
         -   [Delete a Generic Secret](delete-a-generic-secret-d5d5187.md)
         -   [Consume Generic Secrets in Executions or Deployments](consume-generic-secrets-in-executions-or-deployments-185a324.md)

diff --git a/docs/sap-ai-core/list-all-generic-secrets-05a3713.md b/docs/sap-ai-core/list-all-generic-secrets-05a3713.md
diff --git a/docs/sap-ai-core/update-a-generic-secret-b5d5970.md b/docs/sap-ai-core/update-a-generic-secret-b5d5970.md
@@ -29,7 +29,11 @@ SAP AI Core lets you optionally use generic secrets at the following levels:
 
 Generic secrets are different to system secrets \(such as object store, Docker registry, and so on\) and can be used to store sensitive information, either for the main tenant, for all of its resource groups, or for each resource group via an API. The latter can be attached to containers in executions or deployments as environment variables or volume mounts.
 
-Tenant-wide secrets are only automatically propagated to the appropriate resource group when a new execution or deployment is created. They are not propagated to running deployments.
+> ### Note: 
+> In order to allow rotation of Tenant-Wide secrets for long-running deployments without restarting the deployment, the following guidelines must be followed:
+> - The deployment MUST mount the Tenant-Wide secret. For more information see [Consume a Generic Secret as a Volume Mount](consume-generic-secrets-in-executions-or-deployments-185a324.md)
+> - The deployment MUST monitor the mounted secret for changes instead of relying on an in-memory copy of the secret read from the mount.
+> - When a Tenant-Wide secret is updated, the tenant is responsible for observing the response of /secrets/{secret-name} endpoint to ensure that the Replicator has successfully updated the secret in all resource groups.
 
 
 
@@ -80,7 +84,11 @@ SAP AI Core lets you optionally use generic secrets at the following levels:
 
 Generic secrets are different to system secrets \(such as object store, Docker registry, and so on\) and can be used to store sensitive information, either for the main tenant, for all of its resource groups, or for each resource group via an API. The latter can be attached to containers in executions or deployments as environment variables or volume mounts.
 
-Tenant-wide secrets are only automatically propagated to the appropriate resource group when a new execution or deployment is created. They are not propagated to running deployments.
+> ### Note: 
+> In order to allow rotation of Tenant-Wide secrets for long-running deployments without restarting the deployment, the following guidelines must be followed:
+> - The deployment MUST mount the Tenant-Wide secret. For more information see [Consume a Generic Secret as a Volume Mount](consume-generic-secrets-in-executions-or-deployments-185a324.md)
+> - The deployment MUST monitor the mounted secret for changes instead of relying on an in-memory copy of the secret read from the mount.
+> - When a Tenant-Wide secret is updated, the tenant is responsible for observing the response of /secrets/{secret-name} endpoint to ensure that the Replicator has successfully updated the secret in all resource groups.