Organization Administration > Secrets manager > HashiCorp Vault configuration

HashiCorp Vault configuration

HashiCorp Vault is a tool designed for managing secrets and protecting sensitive data. It provides a secure way to store, manage, and control access to tokens, passwords, certificates, encryption keys, and other secrets used by your applications. You can configure your organization to retrieve sensitive connection credentials from HashiCorp Vault instead of directly entering the credentials in the connection properties.

To configure your organization to retrieve secrets from Vault, enable secret vault in Administrator, select HashiCorp Vault as the secrets manager, and configure the connection properties. Then, you can configure connections to retrieve sensitive credentials from Vault.

HashiCorp Vault authentication

Informatica Intelligent Cloud Services uses AppRole authentication to authenticate with HashiCorp Vault. Upon successful authentication, Vault issues a client token to Informatica Intelligent Cloud Services. The token contains the policies that are attached to the AppRole.

The token can be either of the following types:

•Batch token. Batch tokens have a fixed, short-term time to live and are not renewable. They are not recommended for long-running jobs.
•Service token. Service tokens are suitable for long-running jobs and can be renewed to extend their lifespan. Vault issues service tokens by default.

Because service tokens have a longer lifespan and can be renewed, you must configure the HashiCorp Vault AppRole to issue service tokens to Informatica Intelligent Cloud Services. If Vault issues a batch token and the token expires, the Secure Agent can’t connect to Vault to retrieve secrets.

For more information about client tokens, see the HashiCorp Vault documentation.

HashiCorp Vault secret formats

In HashiCorp Vault, the format of secrets varies based on the secrets engine version.

In Vault, secrets must be in either of the following formats based on the secrets engine version:

Secrets Engine Version	Format
Secrets engine v1	secret/<secret_path>:<key>
Secrets engine v2	secret/data/<secret_path>:<key>

Note: Because a colon is used to separate the secret path from the key, Informatica Intelligent Cloud Services can't process keys that have a colon in the path.

For more information about secret names and formats, see the HashiCorp Vault documentation.

HashiCorp Vault connection properties

If you select HashiCorp Vault as your secrets manager, configure connection properties such as the role ID, secret ID, and Vault URI.

Configure the following properties:

Property	Description
Type	Secrets manager type. Choose HashiCorp Vault.
Role ID	ID of the AppRole that the Secure Agent should use to authenticate with Vault. The AppRole must have the read and list permissions for secrets.
Secret ID	Secret ID of the AppRole that the Secure Agent should use to authenticate with Vault.
Vault URI	URI of the key vault that stores the connection credentials, for example: https://my-hashicorp-vault-12343a56.a1b2345c.z1.hashicorp.cloud:8200
Namespace	Namespace within the key vault, if used.
AppRole Path	Custom path in which the AppRole authentication method was enabed. If not specified, the value is assumed to be the default path, approle.

For more information about HashiCorp Vault properties, see the HashiCorp documentation.