Platform On-PremControl accessSecrets

Secrets management overview

What is Secrets Management?

Secrets management is the secure storage, retrieval, and maintenance of sensitive information used to authenticate to external systems. Secrets include passwords, OAuth client secrets, SSH keys, TLS certificates, API tokens, and database connection strings.

Itential Platform integrates with several external systems. Secrets management ensures authentication credentials are stored, retrieved, updated, and deleted securely.

Secrets Management Options

Platform supports multiple secrets management methods:

MethodStorage LocationKey ManagementBest For
Platform database encryptionMongoDBYou manage encryption keySimple deployments, single secrets store
HashiCorp VaultExternal Vault serverVault-managedEnterprise deployments, existing Vault infrastructure
OpenBaoExternal OpenBao serverOpenBao-managedOpen-source requirements, Vault-compatible API
CyberArk CCPExternal CyberArk serverCyberArk-managedEnterprise credential management, existing CyberArk infrastructure

Platform Database Encryption

Platform encrypts sensitive data in MongoDB using your encryption key.

Configuration:

  • platform.properties: encryption_key property
  • Environment variable: ENCRYPTION_KEY

You manage and secure the encryption key and configure it using a platform property or environment variable. For information, see platform properties and environment variables.

HashiCorp Vault and OpenBao

Reference Vault or OpenBao secrets in adapters and integrations using $SECRET_<path> or $KEY_<path> syntax. Platform retrieves values at runtime.

Requirements:

  • KV v2 secrets engine (KV v1 not supported)
  • Vault namespaces not supported

HashiCorp Vault vs OpenBao:

  • HashiCorp Vault: Enterprise license, HashiCorp support
  • OpenBao: Open source (Apache 2.0), Vault-compatible API, community-driven

For installation, see HashiCorp Vault or OpenBao documentation.

CyberArk Integration

Configure adapters and integrations to retrieve credentials from CyberArk Central Credential Provider (CCP) at runtime.

Workflow task Masking

Mask sensitive values in workflow task outputs and logs to prevent credentials from appearing in job history.

Common Use Cases

Adapter and integration authentication: Secure credentials for ServiceNow, Jira, NetBox, AWS, Azure, and other external systems.

Identity provider integration: Secure OAuth client secrets, SAML certificates, and LDAP bind credentials for SSO configuration.

HTTPS configuration: Store TLS certificates and private keys for Platform HTTPS.

Secrets Rotation

External secrets management systems do not automatically notify Platform of credential changes.

To rotate secrets:

1

Update the secret in your secrets management system

2

Restart the affected adapter or service

3

Verify connectivity to the external system

Plan maintenance windows to minimize disruption.

IAG Secrets Management

Itential Automation Gateway has separate secrets management. IAG supports database encryption, HashiCorp Vault, OpenBao, CyberArk, and Ansible Vault. For details, see Configure IAG secret store.

Next Steps

HashiCorp Vault

Integrate with Vault or OpenBao

CyberArk

Integrate with CyberArk CCP