Even though I am encrypting the passwords that I use, I am being asked to store the credentials being used in Automise to connect to other applications (Salesforce, a database server on our network, etc) in a vault. Suggestions on our side are to use Hashi Vault or CA-PAM if possible (I am not really sure what either of those are). As a general question (getting specific later if needed), can Automise get credentials from a vault that is not local to the machine? If not, can it get credentials from a vault that is stored locally, if that is allowed on our end?
Hi Jonathan
I have no experience with Hashi Vault or CA-PAM - however a quick google and Vault seems like a good option. It has an http api, so in theory we should be able to interact with it, whether it is local or remote.
Now as to whether Automise can do that with what is available today, I cannot say - I will need to investigate. I suspect we will need to create some actions for Vault - I will do some research on this today.
For CA-PAM - I assume that is the Broadcom product - there is no free version we could use - being broadcom I am pretty sure it would be prohibitively expensive - so it’s unlikely we could ever add explicit support.
Hi Jonathan
I spent the last few hours looking at Hashicorp Vault (installed it to experiment with), and I can say for sure we need to add some actions for it - however it would be useful to know what features you require from it.
Authentication
Vault provides a bunch of ways to authenticate - not all of them would be practical for us to support.
After a quick read of the api docs we could certainly implement
- Token (simple)
- Username/Password (simple)
- AppRole (a bit more complicated but doable)
- LDAP (maybe, more research needed)
- JWT (a bit more complicated but doable)
Secrets Engines
Vault has a bunch of different secret engines - however the only ones that would be practical for us to implement initially would be
- Key Value (v1/v2)
- Cubbyhole (ephemeral)
Most others require infrastructure that would difficult or too costly for us to aquire.
I will do some more research on this and work out what actions would be needed.
Thank you for looking into this! As far as I know, we would need the capability to store a password in the vault manually, but have Automise pull the credentials out when needed. For instance, I have an ID that connects to our local DB server. Call it jmeldb. Automise currently would get the password for jmeldb from the encrypted file that exists locally. In the new setup, Automise would connect to the vault and get the password for jmeldb from there. The vault would exist on the network but not on the local machine. I suppose it COULD reside on the local machine, but I don’t think that is the preferred setup.
Given the requirements listed above, is it possible to have this added to Automise? Or do we need to pursue something different?
And, is it possible to connect to Azure KeyVault? I am being told that for us, it has to be that.
Hi Jonathan
We’ll look into it. Azure has a rest api so we should be able to do something.
That would be great. I am being pressured to move away from Automise if we need to keep the credentials (even if encrypted) on the local machine. I know this is not your problem, but we have used Automise for a very long time and I really like it. I would like to keep using it if I can.
Hi Jonathan
Do you know if you will be using certificates to authenticate with Azure Key Vault? We have it working (in a demo app) but not with certificates so far.
I asked our team, and this is the response that I received:
“We can use SPN (Server Principal Name) with a certificate to Authenticate to Azure Key Vault or we can use managed identity. Would prefer both options.”
Hi Jonathan
We have it working with certificates now and are working on managed identity support. That will take a bit longer to test since it needs to be done in the azure environment. Hopefully we will have something to show later this week.
That is fantastic. I have passed on your update. Thank you!
Hi Jonathan
We managed to get the new Azure Key Vault - Get Secret action finished and tested on Azure today (most of the time was just understanding how to configure Azure).
https://downloads.finalbuilder.com/downloads/automise/550/AT550_1737.exe
https://downloads.finalbuilder.com/downloads/automise/550/ATCMD550_1737.exe
https://downloads.finalbuilder.com/downloads/automise/550/AutomiseRunner550_1737.exe
It’s pretty simple to use - especially if you are using it on an Azure VM using System Assigned managed identity.
The actions supports authentication by
- Client Secret
- Certificate file (pfx plus password)
- Certificate store (thumbprint of certificate in the windows certificate store)
- System assigned Managed Identity
- User assigned Manage Identity
We’ll get the help topic done tomorrow.
That’s an amazing turnaround. You should make sure to publicize this…there are likely other clients who would be interested.
I did try running the executable above on the machine, to install it, and it does not start anything when I try to open it. No screens come up. I was able to download it fine, but the install might have a problem? This is AT550_1737.exe
That’s odd, I just installed it on a Windows Server 2025 vm on Azure and it installed and ran fine.
I hate to say it, but perhaps antivirus?
In the mean time, we have uploaded a newer build with some minor fixes (error handling for certificate files, and the browse for certificate button didn’t work).
https://downloads.finalbuilder.com/downloads/automise/550/AT550_1739.exe
https://downloads.finalbuilder.com/downloads/automise/550/ATCMD550_1739.exe
https://downloads.finalbuilder.com/downloads/automise/550/AutomiseRunner550_1739.exe
I installed on azure and tested this build installs and works.
Another build, added support for chosing which certificate store to find the certificate in.
https://downloads.finalbuilder.com/downloads/automise/550/AT550_1740.exe
https://downloads.finalbuilder.com/downloads/automise/550/ATCMD550_1740.exe
https://downloads.finalbuilder.com/downloads/automise/550/AutomiseRunner550_1740.exe
And though it is not antivirus, the install issue is on our end. I will keep you posted if I get to do the install of the new version.
Finally completed the install. Will look at the new features tomorrow/Friday if I can.
Has the documentation been completed for the Vault feature?