search
Tonic.ai

Selecting a secrets manager secret

For fields that support secrets managers, such as database password fields, if at least one secrets manager is available, then at the top right of the field is a Use Secret link.

Use Secret option for a field that supports using a secret from a secrets manager

hashtag
Indicating to use a secret

To use a secret to populate the value:

  1. Click Use Secret.

Use Secret panel to select the secret to use

  1. On the Use Secret panel, from the Secrets Manager dropdown list, select the name of the secrets manager that contains the secret.

  2. Based on the secrets manager type, Structural prompts you for the information needed to identify and retrieve the secret.

  3. After you provide the required information, click Confirm.

  4. Structural changes the link to Using Secret, and disables the field.

Field marked as using a secret from a secrets manager

hashtag
Updating the secret selection

To change the secret selection or other information about the selected secret:

  1. Click the Using Secret link.

  2. On the Use Secret panel, update the information.

  3. Click Confirm.

hashtag
Selecting a secret from AWS Secrets Manager

When you select a secrets manager from AWS Secrets Manager:

  1. In the Secret ARN or Name field, provide the name or ARN of the secret.

  2. If the secret is part of a structured key-value pair, then in the Property Name field, provide the property name that contains the secret value.

Fields to identify a secret from an AWS secrets manager

hashtag
Selecting a secret from HashiCorp Vault

When you select a secrets manager from HashiCorp Vault:

Secret selection panel for a HashiCorp Vault secret

hashtag
Using chained credentials

For HashiCorp vault, for additional security, you can choose to use chained credentials. When you enable chained credentials, you provide a set of credentials that is used in turn to retrieve the credentials that are used to retrieve the specified secret.

To enable chained credentials, toggle Use chained credentials to the on position. The Chained Credentials Configuration is displayed.

Chained credentials configuration for a HashiCorp Vault secret

hashtag
Selecting the authentication method

From the Method dropdown list, select the type of authentication to use:

  • AppRole

  • LDAP

  • Token

hashtag
Configuring the shared authentication settings

For all authentication types:

  1. If the selected authentication method is enabled in a specific namespace, then in the first Namespace field, provide the namespace.

  2. If the selected authentication method does not use the default mount path, then in the first Mount path field, provide the mount path.

  3. In the Secret Name field, provide the name of the secret.

  4. If the vault is enabled in a specific namespace, then in the second Namespace field, provide the namespace.

  5. If the secrets engine does not use the default mount path, then in the second Mount path field, provide the mount path.

hashtag
Configuring app role authentication

For app role authentication:

  1. In the Role ID field, provide the name of the secret property that contains the identifier of the application role.

  2. In the Secret ID field, provide the name of the secret property that contains the secret identifier of the application role.

hashtag
Configuring token authentication

For token authentication, in the Token field, provide the name of the secret property that contains the authentication token to use.

hashtag
Configuring LDAP authentication

For LDAP authentication:

  1. In the LDAP Username field, provide the name of the secret property that contains the LDAP username.

  2. In the LDAP Password field, provide the name of the secret property that contains the password for the LDAP user.

hashtag
Providing the database secret

If you use chained credentials, then the database secret fields are under Database Secret Configuration.

To provide information about the secret to retrieve:

  1. In the Secret Name field, provide the name of the secret.

  2. If the secret is in a specific namespace, then in the Namespace field, provide the namespace.

  3. If the authentication does not use the default mount path, then in the Mount Path field, provide the mount path.

  4. If the secret is part of a structured key-value pair, then in the Property Name field, provide the property name that contains the secret value.

hashtag
Selecting a secret from CyberArk Central Credential Provider

When you select a secrets manager from CyberArk Central Credential Provider:

Secret selection panel for a CyberArk Central Credential Provider secret

  1. In the Secret Name field, provide the name of the secret.

  2. Optionally:

    1. In the CyberArk Safe field, provide the name of the CyberArk safe that contains the secrets manager.

    2. In the CyberArk Folder field, provide the name of the folder within the safe that contains the secrets manager. If you do not specify a folder here, Structural uses the folder configured in the secrets manager. If a folder is not configured in the secrets manager, then the folder defaults to Root. To specify a folder path, use Root followed by the rest of the path, with each path component separated by backslashes. For example: Root\OS\Linux.

    If you do not provide these values, they fall back to the values that are configured for the secrets manager.

hashtag
Removing the secret selection

To remove the secret selection entirely, and enable a value to be entered manually.

  1. Click the Using Secret link.

  2. On the Use Secret panel, click Remove.

Last updated

Was this helpful?