- Overview
- Requirements
- Pre-installation
- Preparing the installation
- Downloading the installation packages
- Configuring the OCI-compliant registry
- Granting installation permissions
- Disaster recovery: Active/Passive configurations
- Generating the configuration file using a wizard
- AKS input.json example
- EKS input.json example
- Configuring a Kubernetes Secret as a secretstore
- Configuring Azure Key Vault as a secretstore
- Configuring HashiCorp Vault as a secretstore
- Configuring AWS Secrets Manager as a secretstore
- Installing and configuring the service mesh
- Installing and configuring the GitOps tool
- Installing the External Secrets Operator in Kubernetes
- Applying miscellaneous configurations
- Running uipathctl
- Installation
- Post-installation
- Migration and upgrade
- Monitoring and alerting
- Cluster administration
- Product-specific configuration
- Orchestrator advanced configuration
- Configuring Orchestrator parameters
- Configuring appSettings
- Configuring the maximum request size
- Overriding cluster-level storage configuration
- Configuring NLog
- Saving robot logs to Elasticsearch
- Configuring credential stores
- Configuring encryption key per tenant
- Cleaning up the Orchestrator database
- Skipping host library installation
- AI Trust Layer
- Troubleshooting
- The backup setup does not work due to a failure to connect to Azure Government
- Pods in the uipath namespace stuck when enabling custom node taints
- Unable to launch Automation Hub and Apps with proxy setup
- Velero backup fails with FailedValidation error
- External Secrets troubleshooting
- Temporal as a Service troubleshooting
- AI Center and Document Understanding pods fail to start with TLS certificate verification enabled
- Fluentd does not export logs in IPv6 environments
Automation Suite on EKS/AKS installation guide
You can configure HashiCorp Vault as a secretstore using either of the following auth methods:
- Kubernetes Auth
- AppRole Auth
HashiCorp Vault provides a KV (Key-Value) secrets engine for storing secrets.
By default, all sensitive data is defined in input.json. You can separate this data into two parts:
input.json- contains only configuration data.- HashiCorp Vault - stores credentials securely.
You cannot store certificate paths or certificate-related credentials as part of the secretstore.
All credentials referenced in input.json must exist as secrets in HashiCorp Vault before you configure the secretstore. If any referenced credential is missing, the installation fails.
Using Kubernetes Auth
The ESO pod authenticates to HashiCorp Vault using its Kubernetes service account token. Vault authenticates the token against the Kubernetes API server and issues a Vault token with the appropriate policies.
Prerequisites
- HashiCorp Vault with Kubernetes auth method enabled
- Vault role configured to allow the ESO service account. By default, the service account name is
external-secrets. - Network connectivity from the Kubernetes cluster to the Vault server
- (Optional) A custom Kubernetes ServiceAccount, if not using the ESO default service account
Configuring input.json
To configure HashiCorp Vault as a secretstore using Kubernetes Auth, add the following section to input.json:
{
"secret_store": {
"enabled": true,
"provider_configs": [
{
"name": "hc-vault",
"type": "hashicorp",
"auth_type": "kubernetes",
"hashicorp_kv": {
"server": "https://vault.example.com:8200",
"path": "secret",
"version": "v2",
"role": "uipath-role",
"mount_path": "kubernetes"
}
}
]
}
}
{
"secret_store": {
"enabled": true,
"provider_configs": [
{
"name": "hc-vault",
"type": "hashicorp",
"auth_type": "kubernetes",
"hashicorp_kv": {
"server": "https://vault.example.com:8200",
"path": "secret",
"version": "v2",
"role": "uipath-role",
"mount_path": "kubernetes"
}
}
]
}
}
To use a custom ServiceAccount, add the service_account_name field as follows:
{
"secret_store": {
"enabled": true,
"provider_configs": [
{
"name": "hc-vault",
"type": "hashicorp",
"auth_type": "kubernetes",
"service_account_name": "vault-auth-sa",
"hashicorp_kv": {
"server": "http://vault.example.com:8200",
"path": "secret",
"version": "v2",
"role": "uipath-role",
"mount_path": "kubernetes"
}
}
]
}
}
{
"secret_store": {
"enabled": true,
"provider_configs": [
{
"name": "hc-vault",
"type": "hashicorp",
"auth_type": "kubernetes",
"service_account_name": "vault-auth-sa",
"hashicorp_kv": {
"server": "http://vault.example.com:8200",
"path": "secret",
"version": "v2",
"role": "uipath-role",
"mount_path": "kubernetes"
}
}
]
}
}
If service_account_name is configured, the ServiceAccount must be pre-created by the customer. uipathctl validates its existence but does not create it.
Using AppRole Auth
AppRole auth uses Vault's AppRole auth method, where ESO authenticates with a Role ID and Secret ID stored in a Kubernetes secret. This method is suitable for automated systems and does not require Kubernetes auth to be enabled in Vault.
Prerequisites
- HashiCorp Vault with AppRole auth method enabled
- AppRole Role ID and Secret ID generated
- Kubernetes secret pre-created with AppRole credentials
Configuring input.json
To configure HashiCorp Vault as a secretstore using AppRole Auth, take the following steps:
-
Create the Kubernetes secret that stores the AppRole credentials:
kubectl create secret generic vault-approle-creds \ --namespace uipath \ --from-literal=role-id=<your-role-id> \ --from-literal=secret-id=<your-secret-id>kubectl create secret generic vault-approle-creds \ --namespace uipath \ --from-literal=role-id=<your-role-id> \ --from-literal=secret-id=<your-secret-id>The secret must contain the following keys:
role-id- AppRole Role ID from Vaultsecret-id- AppRole Secret ID from Vault
-
Add the following section to
input.json:{ "secret_store": { "enabled": true, "provider_configs": [ { "name": "hc-vault", "type": "hashicorp", "auth_type": "approle", "credentials_secret_name": "vault-approle-creds", "hashicorp_kv": { "server": "https://vault.example.com:8200", "path": "secret", "version": "v2", "mount_path": "approle" } } ] } }{ "secret_store": { "enabled": true, "provider_configs": [ { "name": "hc-vault", "type": "hashicorp", "auth_type": "approle", "credentials_secret_name": "vault-approle-creds", "hashicorp_kv": { "server": "https://vault.example.com:8200", "path": "secret", "version": "v2", "mount_path": "approle" } } ] } }
Configuration fields
The following table describes the available configuration fields.
| Field | Required | Default | Description |
|---|---|---|---|
hashicorp_kv.server | Yes | - | Vault server URL |
hashicorp_kv.path | No | secret | KV secrets engine mount path |
hashicorp_kv.version | No | v2 | KV engine version: v1 or v2 |
hashicorp_kv.role | No | uipath-role | Vault role name for authentication |
hashicorp_kv.mount_path | No | kubernetes or approle (based on auth_type) | Auth method mount path |
auth_type | Yes | - | Must be kubernetes or approle |
credentials_secret_name | Yes (AppRole only) | - | Kubernetes secret containing role-id and secret-id keys |
service_account_name | No | external-secrets | Kubernetes ServiceAccount for Kubernetes Auth. If a custom ServiceAccount is specified, you must pre-create it in the cluster. |
TLS CA certificate handling
When the Vault server uses HTTPS with a private CA certificate, configure additional_ca_certs in input.json with the CA certificate file path:
additional_ca_certs: /path/to/client_cert
additional_ca_certs: /path/to/client_cert
No additional configuration is needed in the hashicorp_kv block.
Referencing secrets in input.json
To reference a credential stored in HashiCorp Vault, use the following format in input.json:
vault/<vault-name>/<secret-path>?key=<key-name>
vault/<vault-name>/<secret-path>?key=<key-name>
- Specific field:
vault/hc-vault/s3-credentials?key=access_key - Pinned version:
vault/hc-vault/platform-sql?version=2
The following example shows how to reference a HashiCorp Vault secret in input.json:
admin_password: vault/hc-vault/admin-password-10832372?key=value
admin_password: vault/hc-vault/admin-password-10832372?key=value