Secrets management is the secure storage, retrieval, and maintenance of sensitive information used to authenticate to external systems. Secrets include passwords, OAuth client secrets, SSH keys, TLS certificates, API tokens, and database connection strings.
Itential Platform integrates with several external systems. Secrets management ensures authentication credentials are stored, retrieved, updated, and deleted securely.
Platform supports multiple secrets management methods:
Platform encrypts sensitive data in MongoDB using your encryption key.
Configuration:
platform.properties: encryption_key propertyENCRYPTION_KEYYou manage and secure the encryption key and configure it using a platform property or environment variable. For information, see platform properties and environment variables.
Reference Vault or OpenBao secrets in adapters and integrations using $SECRET_<path> or $KEY_<path> syntax. Platform retrieves values at runtime.
Requirements:
HashiCorp Vault vs OpenBao:
For installation, see HashiCorp Vault or OpenBao documentation.
Configure adapters and integrations to retrieve credentials from CyberArk Central Credential Provider (CCP) at runtime.
Mask sensitive values in workflow task outputs and logs to prevent credentials from appearing in job history.
Adapter and integration authentication: Secure credentials for ServiceNow, Jira, NetBox, AWS, Azure, and other external systems.
Identity provider integration: Secure OAuth client secrets, SAML certificates, and LDAP bind credentials for SSO configuration.
HTTPS configuration: Store TLS certificates and private keys for Platform HTTPS.
External secrets management systems do not automatically notify Platform of credential changes.
To rotate secrets:
Plan maintenance windows to minimize disruption.
Itential Automation Gateway has separate secrets management. IAG supports database encryption, HashiCorp Vault, OpenBao, CyberArk, and Ansible Vault. For details, see Configure IAG secret store.