# Setting up HashiCorp Vault secrets engines for projects
Switching to project-specific secrets management causes all previously-configured external secret references to stop working.
To complete the steps in this guide, you must have the following:
- An account with the Data Monitoring/Advanced Security & Compliance add-on. For more information, contact your Workato Customer Success Manager.
In HashiCorp Vault:
# Step 1: Select the scope for secrets management
Sign in to your Workato account.
Navigate to Settings > Secrets management.
In Scope, select the option “Set up secrets management for each project individually”.
Select project-level secrets management
If you have previously set up Secrets management at the workspace level, Workato notifies you that All previously configured references to external secrets will stop working.
Remember that you must now set up secrets management in each project individually.
Click Save changes.
If you are switching Secrets management scopes, Workato asks that you confirm switching from secrets management at workspace level, to project level.
Click Use project-specific secrets.
Use project-specific secrets
# Step 2: Select the project
In Workato, navigate to your projects.
Select the project that you plan to configure with secrets management.
In the project, navigate to Settings > Secrets management.
In the Which secrets manager do you want to use? field, select HashiCorp Vault.
# Step 3: Configure the following fields in Workato
Connect to HashiCorp Vault
- Connection name
- Name your HashiCorp Vault connection.
- Connection type
- If you want to connect using an on-premise group, select the group name from the picklist. Otherwise, to use a direct connection, select Cloud.
- Authentication type
- Select AppRole from the dropdown.
- Vault URL
- Enter the Vault URL of your Hashicorp Vault instance. It should follow this form
The name of your HashiCorp Vault instance.
The name of your organization.
Optional. The name of the namespace that contains the secret(s) you plan to use in Workato. Namespaces (opens new window) are a set of features that enable you to define granular control and secrets management within your organization.
In our example, we grant Workato access to the
- AppRole name
- The AppRole you plan to use. An AppRole is a set of Vault policies and login constraints that determines which secrets you can access.
# Step 4: Obtain the AppRole ID and AppRole Secret ID from your HashiCorp Vault instance
AppRole is a login credential split into two parts- the AppRole ID and AppRole Secret ID. You must obtain both to authenticate to Workato. The AppRole ID can be considered similar to a username- its value remains constant and associated with its corresponding AppRole. On the contrary, the AppRole Secret ID is similar to a password or unique key and you can prompt HashiCorp Vault to refresh this credential, if needed.
In HashiCorp Vault click >_ to open the control panel.
Open the control panel
Enter the following command:
vault read auth/<approle_name>/role/<role_name>/role-id
The AppRole you have configured in HashiCorp Vault.
The name of the role (Workato) you plan to connect to.
vault read auth/workato_approle/role/workato/role-id
HashiCorp Vault returns the AppRole ID unique to your AppRole:
Copy and paste this value into the AppRole ID field in Workato.
Obtain the AppRole Secret ID by entering the following command to the control panel in HashiCorp Vault:
vault write -force auth/<approle_name>/role/<role_name>/secret-id
vault write -force auth/workato_approle/role/workato/secret-id
HashiCorp Vault generates an AppRole Secret ID for your AppRole:
Copy and paste the
secret_id value into the AppRole Secret ID field in Workato.
Workato displays the following message when you connect successfully.
Last updated: 1/2/2024, 7:18:05 PM