Even though I am encrypting the passwords that I use, I am being asked to store the credentials being used in Automise to connect to other applications (Salesforce, a database server on our network, etc) in a vault. Suggestions on our side are to use Hashi Vault or CA-PAM if possible (I am not really sure what either of those are). As a general question (getting specific later if needed), can Automise get credentials from a vault that is not local to the machine? If not, can it get credentials from a vault that is stored locally, if that is allowed on our end?
Hi Jonathan
I have no experience with Hashi Vault or CA-PAM - however a quick google and Vault seems like a good option. It has an http api, so in theory we should be able to interact with it, whether it is local or remote.
Now as to whether Automise can do that with what is available today, I cannot say - I will need to investigate. I suspect we will need to create some actions for Vault - I will do some research on this today.
For CA-PAM - I assume that is the Broadcom product - there is no free version we could use - being broadcom I am pretty sure it would be prohibitively expensive - so it’s unlikely we could ever add explicit support.
Hi Jonathan
I spent the last few hours looking at Hashicorp Vault (installed it to experiment with), and I can say for sure we need to add some actions for it - however it would be useful to know what features you require from it.
Authentication
Vault provides a bunch of ways to authenticate - not all of them would be practical for us to support.
After a quick read of the api docs we could certainly implement
- Token (simple)
- Username/Password (simple)
- AppRole (a bit more complicated but doable)
- LDAP (maybe, more research needed)
- JWT (a bit more complicated but doable)
Secrets Engines
Vault has a bunch of different secret engines - however the only ones that would be practical for us to implement initially would be
- Key Value (v1/v2)
- Cubbyhole (ephemeral)
Most others require infrastructure that would difficult or too costly for us to aquire.
I will do some more research on this and work out what actions would be needed.
Thank you for looking into this! As far as I know, we would need the capability to store a password in the vault manually, but have Automise pull the credentials out when needed. For instance, I have an ID that connects to our local DB server. Call it jmeldb. Automise currently would get the password for jmeldb from the encrypted file that exists locally. In the new setup, Automise would connect to the vault and get the password for jmeldb from there. The vault would exist on the network but not on the local machine. I suppose it COULD reside on the local machine, but I don’t think that is the preferred setup.