- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Setup Samples
- Storing Robot Credentials in CyberArk
- Setting up Attended Robots
- Setting up Unattended Robots
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Audit
- Managing Credential Stores
- CyberArk® CCP Integration
- Azure Key Vault Integration
- HashiCorp Vault Integration
- BeyondTrust Integration
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Integrations
- Classic Robots
- Troubleshooting
Orchestrator User Guide
Azure Key Vault Integration
Azure Key Vault is a plugin you can use as a credential store with Orchestrator.
There are two plugins included:
- Azure Key Vault – a read-write plugin (secrets are created through Orchestrator)
- Azure Key Vault (read-only) – a read-only plugin (you must provision the secrets in the vault directly)
- Azure Key Vault credential stores use RBAC authentication. Azure Key Vault requires the Key Vault Secrets Officer role, and Azure Key Vault (read-only) requires Key Vault Secrets User role.
- Create the Key Vault to be used with Orchestrator in your Azure account. See Microsoft's official documentation here for details.
In the App Registrations pane of the Azure Portal, follow these steps:
- Create a new app registration.
- Copy the Application (Client) ID for later use.
- Go to Manage > Certificates & Secrets > New client secret, and add a new client secret. Make a note of the expiration you chose and create a new secret before that.
- Copy the Value of the secret for later use.
In the Azure Key Vault, follow these steps:
- Access the Key Vault's Overview page, and copy the Vault URI and Directory ID for later use.
- Select Settings > Access Policies from the menu on the left.
- Click Add access policy. The required access policy permissions are
Secret Get
andSecret Set
. - From the Configure from template (optional) drop-down menu, select Secret Management.
- Click None selected in the Authorized application section to enable the Select principal field.
- Enter the app registration name, confirm that the Application ID is correct, and select this principal.
- Click Add.
- Click Save.
You are now ready to use Vault URI,Directory ID,Application (Client) ID and the secret's Value to configure a new credential store.
When using Azure Key Vault (read-only) plugin, the Vault admin is responsible for correctly provisioning the secrets that Orchestrator will use. The format in which these secrets must be provisioned differs between secret types (asset versus robot password) and between secret engines.
For instructions on how to provision the secrets, see the following: