Configuring and linking secret lookups

automation controller can be configured to retrieve secrets from third-party secret management systems, such as HashiCorp Vault, AWS Secrets Manager, CyberArk Conjur, and others.

About this task

Learn how to configure automation controller to retrieve secrets from third-party systems by linking credential fields to external credentials that contain the necessary information to authenticate and retrieve secrets from these systems.

When pulling a secret from a third-party system, you are linking credential fields to external systems. To link a credential field to a value stored in an external system, select the external credential corresponding to that system and provide metadata to look up the required value. The metadata input fields are part of the external credential type definition of the source credential.

Automation controller provides a credential plugin interface for developers, integrators, system administrators, and power-users with the ability to add new external credential types to extend it to support other secret management systems.

Use the following procedure to use automation controller to configure and use each of the supported third-party secret management systems.

Procedure

  1. Create an external credential for authenticating with the secret management system. At minimum, give a name for the external credential and select one of the following for the Credential type field:
  2. For any of the fields that follow the Type Details area that you want to link to the external credential, click the key Link icon in the input field to link one or more input fields to the external credential along with metadata for locating the secret in the external system.
  3. Select the input source to use to retrieve your secret information.
  4. Select the credential you want to link to, and click Next. This takes you to the Metadata tab of the input source. This example shows the Metadata prompt for HashiVault Secret Lookup. Metadata is specific to the input source you select.

    For more information, see the Metadata for credential input sources table.

  5. Click Test to verify connection to the secret management system. If the lookup is unsuccessful, an error message displays.
  6. Click OK. You return to the Details screen of your target credential.
  7. Repeat these steps, starting with Step 3 to complete the remaining input fields for the target credential. By linking the information in this manner, automation controller retrieves sensitive information, such as username, password, keys, certificates, and tokens from the third-party management systems and populates the remaining fields of the target credential form with that data.
  8. If necessary, supply any information manually for those fields that do not use linking as a way of retrieving sensitive information. For more information about each of the fields, see the appropriate Credential types.
  9. Click Save.