# On-Prem Agent - Secrets Manager
To simplify password management, you can use an external secrets manager with Workato's On-prem Agent (OPA).
This approach eliminates the need to store passwords in OPA config files, allowing you to rotate your passwords without re-configuring OPA.
# Connection types
The on-prem connection type determines which secrets managers are supported. Both types let you use OPA to connect your secrets manager to Workato from behind a corporate firewall.
- Cloud profiles support AWS Secrets Manager, Microsoft Azure Key Vault, and HashiCorp Vault. Cloud profiles are set up directly in Workato, so you don't need to access the machine where the on-prem agent is installed.
- Connection profiles support AWS Secrets Manager, Microsoft Azure Key Vault, and Google Secret Manager. Connection profiles are set up manually in a config file on the machine where the on-prem agent is installed.
If you want to connect a secrets manager but aren't using an on-prem agent, see Secrets management for connection credentials.
# How it works
At a high level, here's how using a secrets manager works with OPA:
You create a vault and secret in your external secret manager.
You configure Workato to use the secrets manager.
- For cloud profiles: Set up a connection for the secrets manager you're using. If you're using HashiCorp Vault, you must also set the Connection type to your on-prem group instead of Cloud.
- For connection profiles: Define the secrets manager in the config file on the machine where the on-prem agent is installed.
You specify the secret to retrieve from the secrets manager.
- For cloud profiles: Specify the secret in the configuration page for the connection.
- For connection profiles: Specify the secret in the appropriate system profile.
When fully configured, OPA will retrieve the secret from the defined secrets manager.
# Supported secret managers
The table below lists the secret managers Workato currently supports for use with OPA. In the table, you'll find:
- Name: The name of the secrets manager and a link to a setup guide
- Provider Value: The
providervalue of the secrets manager, used in the OPA config file (if applicable)
- Profile: The on-prem connection type (cloud profile or connection profile)
|Amazon Web Services Secrets Manager|| |
|Microsoft Azure Key Vault|| |
|Amazon Web Services Secrets Manager|| ||Cloud profile and connection profile|
|Google Secret Manager||Connection profile|
|HashiCorp Vault||N/A||Cloud profile|
|Microsoft Azure Key Vault|| ||Cloud profile and connection profile|
Last updated: 7/27/2023, 10:34:08 PM