# Selecting a secrets manager secret

For fields that support secrets managers, such as database password fields, if at least one secrets manager is available, then at the top right of the field is a **Use Secret** link.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FmXz4T6rsBcxaRkjb4oL8%2FSecretsManagerWorkspaceUseSecret.png?alt=media&#x26;token=2a926ab3-9b56-4378-9304-1207be584e13" alt=""><figcaption><p>Use Secret option for a field that supports using a secret from a secrets manager</p></figcaption></figure>

## Indicating to use a secret

To use a secret to populate the value:

1. Click **Use Secret**.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FlOGv1voscLLGKP1QyuRP%2FSecretsManagerWorkspaceUseSecretPanel.png?alt=media&#x26;token=7a9b867b-a405-4341-9f0b-73a8e03f49a8" alt=""><figcaption><p>Use Secret panel to select the secret to use</p></figcaption></figure>

2. On the **Use Secret** panel, from the **Secrets Manager** dropdown list, select the name of the secrets manager that contains the secret.
3. Based on the secrets manager type, Structural prompts you for the information needed to identify and retrieve the secret.
4. After you provide the required information, click **Confirm**.
5. Structural changes the link to **Using Secret**, and disables the field.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2F5dKYctrZU9aKSQ34sWu4%2FSecretsManagerWorkspaceUsingSecret.png?alt=media&#x26;token=ff59d06d-59b5-4176-a931-c28c9b14b741" alt=""><figcaption><p>Field marked as using a secret from a secrets manager</p></figcaption></figure>

## Updating the secret selection

To change the secret selection or other information about the selected secret:

1. Click the **Using Secret** link.
2. On the **Use Secret** panel, update the information.
3. Click **Confirm**.

## Selecting a secret from AWS Secrets Manager

When you select a secrets manager from AWS Secrets Manager:

1. In the **Secret ARN or Name** field, provide the name or ARN of the secret.
2. If the secret is part of a structured key-value pair, then in the **Property Name** field, provide the property name that contains the secret value.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FxfiaGGcUt1nih4dwJ5x8%2FSecretsManagerWorkspaceAWS.png?alt=media&#x26;token=a53bbb34-7d40-4c12-8f8c-d06d7625d4d5" alt=""><figcaption><p>Fields to identify a secret from an AWS secrets manager</p></figcaption></figure>

## Selecting a secret from HashiCorp Vault

When you select a secrets manager from HashiCorp Vault:

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FVmlDqwFh5AA2RA32wYkg%2FSecretsManagerSelectHashiCorp.png?alt=media&#x26;token=4557ba59-dd95-4be1-a4a2-8ff3e651a8d3" alt=""><figcaption><p>Secret selection panel for a HashiCorp Vault secret</p></figcaption></figure>

### Using chained credentials

For HashiCorp vault, for additional security, you can choose to use chained credentials. When you enable chained credentials, you provide a set of credentials that is used in turn to retrieve the credentials that are used to retrieve the specified secret.

To enable chained credentials, toggle **Use chained credentials** to the on position. The **Chained Credentials Configuration** is displayed.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2Fv9BIRgRS77927UneIyCS%2FSecretsManagerWorkspaceVaultChainedAppRole.png?alt=media&#x26;token=ffd29ef3-4301-4c9d-8a68-b09b2c9488f7" alt=""><figcaption><p>Chained credentials configuration for a HashiCorp Vault secret</p></figcaption></figure>

#### Selecting the authentication method

From the **Method** dropdown list, select the type of authentication to use:

* **AppRole**
* **LDAP**
* **Token**

#### Configuring the shared authentication settings

For all authentication types:

1. If the selected authentication method is enabled in a specific namespace, then in the first **Namespace** field, provide the namespace.
2. If the selected authentication method does not use the default mount path, then in the first **Mount path** field, provide the mount path.
3. In the **Secret Name** field, provide the name of the secret.
4. If the vault is enabled in a specific namespace, then in the second **Namespace** field, provide the namespace.
5. If the secrets engine does not use the default mount path, then in the second **Mount path** field, provide the mount path.

#### Configuring app role authentication

For app role authentication:

1. In the **Role ID** field, provide the name of the secret property that contains the identifier of the application role.
2. In the **Secret ID** field, provide the name of the secret property that contains the secret identifier of the application role.

#### Configuring token authentication

For token authentication, in the **Token** field, provide the name of the secret property that contains the authentication token to use.

#### Configuring LDAP authentication

For LDAP authentication:

1. In the **LDAP Username** field, provide the name of the secret property that contains the LDAP username.
2. In the **LDAP Password** field, provide the name of the secret property that contains the password for the LDAP user.

### Providing the database secret

If you use chained credentials, then the database secret fields are under **Database Secret Configuration**.

To provide information about the secret to retrieve:

1. In the **Secret Name** field, provide the name of the secret.
2. If the secret is in a specific namespace, then in the **Namespace** field, provide the namespace.
3. If the authentication does not use the default mount path, then in the **Mount Path** field, provide the mount path.
4. If the secret is part of a structured key-value pair, then in the **Property Name** field, provide the property name that contains the secret value.

## Selecting a secret from CyberArk Central Credential Provider

When you select a secrets manager from CyberArk Central Credential Provider:

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FSY1pkhfNbInC6d0c2ZU0%2FSecretsManagerWorkspaceCyberArk.png?alt=media&#x26;token=b2728b25-3923-40a3-a619-6f6a3d68ad53" alt=""><figcaption><p>Secret selection panel for a CyberArk Central Credential Provider secret</p></figcaption></figure>

1. In the **Secret Name** field, provide the name of the secret.
2. Optionally:

   1. In the **CyberArk Safe** field, provide the name of the CyberArk safe that contains the secrets manager.
   2. In the **CyberArk Folder** field, provide the name of the folder within the safe that contains the secrets manager.\
      \
      If you do not specify a folder here, Structural uses the folder configured in the secrets manager. If a folder is not configured in the secrets manager, then the folder defaults to `Root`.\
      \
      To specify a folder path, use Root followed by the rest of the path, with each path component separated by backslashes. For example: `Root\OS\Linux`.

   If you do not provide these values, they fall back to the values that are configured for the secrets manager.

## Removing the secret selection

To remove the secret selection entirely, and enable a value to be entered manually.

1. Click the **Using Secret** link.
2. On the **Use Secret** panel, click **Remove**.