Skip to content

Secret Management

Team Edition supports external secret managers to securely store and access credentials.

Secret manager Description
AWS Secrets Manager Managed service from AWS for storing and retrieving secrets securely. Requires IAM permissions.
HashiCorp Vault Open-source tool for managing secrets and protecting sensitive data. Supports fine-grained access control.
CyberArk Enterprise-grade security platform designed for managing privileged access and secrets.

Note

If a secret is configured, it takes priority over other authentication settings.

Configure secret provider

Before adding a secret provider in Team Edition, make sure:

  • the provider is set up and accessible
  • you have the required permissions
  • secret management is enabled in the server configuration

Turn on secret management

  1. Go to Settings -> Administration -> Server Configuration
  2. In the Configuration section, enable Secret Management
  3. Click Save

Once enabled, a new Secret Management tab appears in the interface.

Add a secret provider

  1. Open the Secret Management tab
  2. Click + Add
  3. Choose a provider from the dropdown list
AWS secrets

  1. Fill in the required fields

    Field Description
    ID Enter a unique identifier for the configuration.
    Configuration name Enter a descriptive name for this configuration.
    Description (Optional) Provide a brief description of this secret provider configuration.
    CloudId AWS configuration settings. For more details on configuring AWS Cloud in Team Edition, see AWS Cloud Explorer.
    Region AWS region where secrets are stored.

  2. Click Create to save the configuration

Vault secrets

  1. Fill in the required fields

    Field Description
    ID Enter a unique identifier for the configuration.
    Configuration name Enter a descriptive name for this configuration.
    Description (Optional) Provide a brief description of this secret provider.
    Authentication Type Select an authentication type (TOKEN, JWT, USERNAME_PASSWORD).

    Note

    When using USERNAME_PASSWORD or TOKEN authentication, all users will have the same level of access to all secrets. If you need access control with different permissions for users, use JWT authentication.

  2. Click Create to save the configuration

CyberArk

  1. Fill in the required fields

    Field Description
    ID Enter a unique identifier for the configuration.
    Configuration name Unique identifier for the secret configuration in Team Edition.
    Description (Optional) Provide a brief description of this secret provider.
    Server URL URL of the Conjur OSS server (e.g., https://conjur.example.com).
    Account Conjur tenant or organization account name (e.g., myorg).
    Login Conjur user ID used for authentication.
    API Key API key associated with the Conjur user for authn login.
    Policy branch Path to the policy namespace where secrets are stored (e.g., dev/app).
    Trust CyberArk SSL Certificate (Optional) Trust the CyberArk serverā€™s SSL certificate without manual import. Enable this if you're using a self-signed certificate or connecting to a server whose certificate isn't trusted by default.

    Info

    For more details on authentication, policy structure, and SSL configuration, CyberArk official documentation.

  2. Click Create to save the configuration

Authentication types

Username/password authentication

Use a username and password to authenticate with the Vault server.

Field Description
Username Username for authentication.
Password Password for authentication.

Token authentication

Use an authentication token to access the Vault server.

Field Description
Token Authentication token required to access the Vault server.

JWT authentication

Use a JSON Web Token (JWT) for authentication.

Field Description
Vault server URL URL of the Vault server used to retrieve secrets.
Vault JWT Provider ID Identifier for the JWT provider created on the Vault side (Auth Method in Vault).
Vault Role Claim The value of the role name in the JWT token where the custom role is stored. See the configuration steps below.
Configuring JWT authentication

JWT authentication requires an external Single Sign-On (SSO) provider (e.g., Okta) because Vault does not generate JWTs internally. It works with any OpenID Connect (OIDC) provider that issues JWT tokens.

This configuration happens on the Vault side and includes setting up authentication methods, validation rules, and role mappings.

Note

You must be logged into Team Edition with the same authentication provider that Vault is configured with. For instance, if Vault is set up with Okta, you must log in through Okta-logging in through a different provider, like Google, will not work.

  1. Enable the JWT authentication method in Vault

    • enable JWT authentication
    • configure JWT validation settings, such as issuer and audience

  2. Create a role in Vault

    • vault does not assign roles automatically
    • use the API to create a role
    • define policies and specify claims for user identification

    a. Configure role assignment in the SSO provider

    • ensure your SSO provider includes user roles in the JWT.

    Info

    Use the SSO providerā€™s documentation to configure role claims.

    b. Match the Vault Role Claim with a JWT claim

    • the Vault Role Claim field should match the custom claim in the JWT token
    • if it does not match, authentication will fail

Info

See the Vault documentation for more details.

Creating a connection

  1. Start creating a connection

  2. In the Create Connection wizard, go to the Main tab, choose a secret provider configuration and enter the secret name in the Settings field.

    Info

    The secret name must match the name stored in your secret provider:

    -for HashiCorp Vault, use secret/your_secret_name - for AWS Secrets Manager, use your_secret_name - for CyberArk, use the full variable path, for example: app/dev/db/password. In Conjur, secret names reflect the full variable ID defined in your policy. For more details, see Conjur documentation.

  3. If the secret doesnā€™t include all required details (such as the host or port), enter them manually in the connection settings.

  4. Click the Test button to verify your settings (if configured correctly, Team Edition will establish a connection using the Secret Provider)
  5. Click Create to save the connection