# Setting up HashiCorp Vault secrets engines for workspaces
Switching to workspace-specific secrets management causes all previously-configured external secret references to stop working.
To complete the steps in this guide, you must have the following:
- An account with Advanced Security & Compliance advanced functionality. For more information, contact your Workato Customer Success Manager.
In HashiCorp Vault:
- HashiCorp Vault Key-value (KV) secrets engine version 1 or 2.
- An account with AppRole auth method (opens new window) enabled.
- One or more AppRole (opens new window)s configured.
# Step 1: Select the scope for secrets management
Sign in to your Workato account.
Navigate to Settings > Secrets management.
In Scope, select the option “Set up secrets management for the entire workspace”.
# Step 2: Select the secrets manager
Continuing from the previous step, in the field In the Which secrets manager do you want to use?, select HashiCorp Vault.
# Step 3: Configure the following fields in Workato
Connect to HashiCorp Vault
- Connection name
- Name your HashiCorp Vault connection.
- Connection type
- If you want to connect using an on-premise group, select the group name from the picklist. Otherwise, to use a direct connection, select Cloud.
- Authentication type
- Select AppRole from the dropdown.
- Vault URL
- Enter the Vault URL of your Hashicorp Vault instance. It should follow this form
The name of your HashiCorp Vault instance.
The name of your organization.
Optional. The name of the namespace that contains the secret(s) you plan to use in Workato. Namespaces (opens new window) are a set of features that enable you to define granular control and secrets management within your organization.
In our example, we grant Workato access to the
- AppRole name
- The AppRole you plan to use. An AppRole is a set of Vault policies and login constraints that determines which secrets you can access.
# Step 4: Obtain the AppRole ID and AppRole Secret ID from your HashiCorp Vault instance
AppRole is a login credential split into two parts- the AppRole ID and AppRole Secret ID. You must obtain both to authenticate to Workato. The AppRole ID can be considered similar to a username- its value remains constant and associated with its corresponding AppRole. On the contrary, the AppRole Secret ID is similar to a password or unique key and you can prompt HashiCorp Vault to refresh this credential, if needed.
In HashiCorp Vault click >_ to open the control panel.
Open the control panel
Enter the following command:
vault read auth/<approle_name>/role/<role_name>/role-id
The AppRole you have configured in HashiCorp Vault.
The name of the role (Workato) you plan to connect to.
vault read auth/workato_approle/role/workato/role-id
HashiCorp Vault returns the AppRole ID unique to your AppRole:
Key Value role_id 12a3bc45-6de7-8910-11fg-h4ij12XXXXXX
Copy and paste this value into the AppRole ID field in Workato.
Obtain the AppRole Secret ID by entering the following command to the control panel in HashiCorp Vault:
vault write -force auth/<approle_name>/role/<role_name>/secret-id
vault write -force auth/workato_approle/role/workato/secret-id
HashiCorp Vault generates an AppRole Secret ID for your AppRole:
Key Value secret_id ed0a642f-2acf-c2da-232f-1b2130XXXXXX secret_id_accessor a240a31f-270a-4765-64bd-94ba1fXXXXXX
Copy and paste the
secret_id value into the AppRole Secret ID field in Workato.
Workato displays the following message when you connect successfully.