Organization Administration > Secrets managers > Configuring a connection to use the secrets manager

Configuring a connection to use the secrets manager

You can configure any connection that has sensitive credentials to retrieve these credentials from the secrets manager.

1Open the Connections page.

2Perform either of the following actions:

- To create a connection, click New Connection and enter the connection details.
- To edit a connection, click the connection name, and then click Edit.

3In the Connection Properties area, select Use Secret Vault.

4Enable the slider next to each property that you store in the secrets manager, and then enter the secret name, including the path, in the corresponding field. If the secret is a JSON object, you'll also need to include the secret key.

For example, you configure a relational connection and you store the database password in HashiCorp Vault. The secret name is secret/data/MyCredentials, and the secret key is MyPassword. To retrieve the password from HashiCorp Vault, select Use Secret Vault, enable the slider next to the Password field, and enter secret/data/MyCredentials:MyPassword in the Password field.

The following image shows the connection details:

The image shows the connection details for a SQL Server connection. In the SQL Server Connection properties area, the Use Secret Vault option is enabled. The option next to the Password field is also enabled and the Password field is masked with a series of dots.

For more information about formatting the connection property, see Connection property format.

5Select the runtime environment to be used with the connection.

All Secure Agents within the runtime environment must be installed on a local machine or VM and must be able to access the secrets manager. Additionally, the SecretManagerApp service must be running on each agent.

6Configure the connection-specific properties.

7To test the connection, click Test Connection.

8Click Save.

For more information about configuring connections, see Connections.

Connection property format

To configure a connection property to retrieve its value from a secrets manager, first enable the slider next to the property. Then enter the secret name, including the path, in the corresponding field. If the secret is a JSON object, you'll also need to include the secret key.

The following table shows the value to enter based on the format of the secret:

Format of secret	Format of value to enter
JSON object, for example: { "engine": "mysql", "username": "tsmith", "password": "Hello123", "host": "my-database-endpoint.us-west-2.rds.amazonaws.com", "dbname": "myDatabase", "port": "1234" }	<secret name>:<key> If you use AWS Secrets Manager, you can also enter the secret in the following format:* <secret ARN>:<key>
Simple value, for example: --name "MyPassword" --value "Hello123"	<secret name> If you use AWS Secrets Manager, you can also enter the full ARN of the secret.*
* If you use AWS Secrets Manager and the account that hosts the Secure Agent differs from the account that hosts the secrets, you must enter the secret using the full ARN.

Example: Connection property format for AWS Secrets Manager

You want to configure a connection to retrieve a password from AWS Secrets Manager.

The following image shows the secret:

The image shows the secret in AWS Secrets Manager. The "Secret details" area shows the secret name and ARN. The secret value appears on the Overview tab.

The secret name is qa/demo/test, the secret ARN is arn:aws:secretsmanager:us-east-2:2*********6:secret:qa/demo/test-zUxff*****F, and the key is password.

Enter either of the following values for the Password connection property:

•qa/demo/test:password
•arn:aws:secretsmanager:us-east-2:2*********6:secret:qa/demo/test-zUxff*****F:password

Note:

If the account that hosts the Secure Agent differs from the account that hosts the secrets, you must enter the password in this format.

Example: Connection property format for Azure Key Vault

You want to configure a connection to retrieve a password from Azure Key Vault.

The following image shows the secret:

The image shows the secret "nestedkey" listed in the table on the Secrets page in Azure Key Vault.

The secret is stored in the following format:

{
"secrets": [
{
"keyPath": "nestedkey",
"status": "SUCCESS",
"value": "{ \"password\": \"passw0rd\", \"username\": \"admin\" }",
"errorMsg": null
}
]
}

Enter the following value for the Password connection property:

nestedkey:password

Example: Connection property format for HashiCorp Vault

You want to configure a connection to retrieve a password from HashiCorp Vault.

The following image shows the secret:

The image shows the secret in HashiCorp Vault. The secret name is displayed at the top, and the secret appears in the Version Data area on the Secret tab.

The secret name is secret/mysql/webapp and the key is password.

Enter the following value for the Password connection property:

secret/mysql/webapp:password