- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Setup Samples
- Storing Robot Credentials in CyberArk
- Setting up Attended Robots
- Setting up Unattended Robots
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Audit
- Managing Credential Stores
- CyberArk® CCP Integration
- Azure Key Vault Integration
- HashiCorp Vault Integration
- BeyondTrust Integration
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Integrations
- Classic Robots
- Troubleshooting
HashiCorp Vault Integration
HashiCorp Vault is a plugin you can use as a credential store with Orchestrator.
There are two plugins included:
- HashiCorp Vault – a read-write plugin (secrets are created through Orchestrator)
- HashiCorp Vault (read-only) – a read-only plugin (you must provision the secrets in the vault directly)
-
You must configure one of the supported authentication methods:
- AppRole (recommended)
- UsernamePassword
- LDAP
-
Token
See how to configure authentication.
-
You must configure one of the supported secrets engines:
- KeyValueV1 - available for both HashiCorp Vault and HashiCorp Vault (read-only) plugins
- KeyValueV2 - available for both HashiCorp Vault and HashiCorp Vault (read-only) plugins
- ActiveDirectory - available only for HashiCorp Vault (read-only) plugin
-
The chosen authentication method must have a policy that allows the following capabilities on the path where you plan to store your secrets:
- For HashiCorp Vault (read-only) plugin:
read
- For HashiCorp Vault plugin:
create
,read
,update
,delete
, and optionallydelete
on the metadata path, if using theKeyValueV2
secrets engine
- For HashiCorp Vault (read-only) plugin:
The following is an example of how to configure a development version of HashiCorp Vault, running in a docker container, to be used as a credential store with Orchestrator. The examples should be adapted to your own environment. Please consult the official documentation of HashiCorp Vault for details.
To start creating and reading secrets, you first need to configure the authentication method by taking the following steps:
Output of this command:
====== Metadata ======
Key Value
--- -----
created_time 2020-10-12T06:24:41.7827631Z
deletion_time n/a
destroyed false
version 1
=========== Data ===========
Key Value
--- -----
supersecretpassword 123456====== Metadata ======
Key Value
--- -----
created_time 2020-10-12T06:24:41.7827631Z
deletion_time n/a
destroyed false
version 1
=========== Data ===========
Key Value
--- -----
supersecretpassword 123456
====== Metadata ======
Key Value
--- -----
created_time 2020-10-12T06:24:41.7827631Z
deletion_time n/a
destroyed false
version 1
=========== Data ===========
Key Value
--- -----
supersecretpassword 123456====== Metadata ======
Key Value
--- -----
created_time 2020-10-12T06:24:41.7827631Z
deletion_time n/a
destroyed false
version 1
=========== Data ===========
Key Value
--- -----
supersecretpassword 123456
You can also enable appRole Orchestrator by running the following command:
/ # vault auth enable approle
/ # vault write auth/approle/role/orchestrator policies=orchestrator-policy
/ # vault read auth/approle/role/orchestrator/role-id
/ # vault write -f auth/approle/role/orchestrator/secret-id
/ # vault auth enable approle
/ # vault write auth/approle/role/orchestrator policies=orchestrator-policy
/ # vault read auth/approle/role/orchestrator/role-id
/ # vault write -f auth/approle/role/orchestrator/secret-id
You will now have a role-id and secret-id for configuring in Orchestrator.
To configure the Active Directory secrets engine, take the following steps:
When using HashiCorp Vault (read-only) plugin, the Vault admin is responsible for correctly provisioning the secrets that Orchestrator will use. The format in which these secrets must be provisioned differs between secret types (asset versus robot password) and between secret engines.
For instructions on how to provision the secrets, see the following: