# On-Prem Agent - Secrets Manager

To simplify password management, you can use an external secrets manager with Workato's On-prem Agent (OPA).

This approach eliminates the need to store passwords in OPA config files, allowing you to rotate your passwords without re-configuring OPA.

# How It Works

At a high level, here's how using a secrets manager works with OPA:


You create a vault and secret in your external secret manager.


In your OPA config file, you define the type of secrets manager you're using and the required fields for that secrets manager type:

  provider: aws
  region: us-west-1

In the database profile, you specify the secret to retrieve from the secrets manager:

    adapter: sqlserver
    host: localhost
    port: 1433
    database: test
    username: { secret: '/workato/opa/sqlserver/username' }
    password: { secret: '/workato/opa/sqlserver/password' }

When fully configured, OPA will retrieve the secret from the defined secrets manager.

# Supported Secret Managers

The table below lists the secret managers Workato currently supports for use with OPA. In the table, you'll find:

  • Name: The name of the secrets manager and a link to a setup guide
  • Provider Value: The provider value of the secrets manager, used in the OPA config file
Name Provider Value
Amazon Web Services Secrets Manager aws
Google Secret Manager google
Microsoft Azure Key Vault azure