# Setting up HashiCorp Vault secrets engines for workspaces

WARNING

Switching to workspace-specific secrets management causes all previously-configured external secret references to stop working.


# Prerequisites

To complete the steps in this guide, you must have the following:

  • In Workato:

    • An account with the Data Monitoring/Advanced Security & Compliance add-on. For more information, contact your Workato Customer Success Manager.
  • In HashiCorp Vault:


# Step 1: Select the scope for secrets management

1

Sign in to your Workato account.

2

Navigate to Settings > Secrets management.

3

In Scope, select the option “Set up secrets management for the entire workspace”.

Workato secrets management, selecting workspace scope


# Step 2: Select the secrets manager

1

Continuing from the previous step, in the field In the Which secrets manager do you want to use?, select HashiCorp Vault.

Hashicorp Vault secrets


# Step 3: Configure the following fields in Workato

Configure connectionConnect to HashiCorp Vault

1
  • Connection name
  • Name your HashiCorp Vault connection.
2
  • Connection type
  • If you want to connect using an on-premise group, select the group name from the picklist. Otherwise, to use a direct connection, select Cloud.
3
  • Authentication type
  • Select AppRole from the dropdown.
4
  • Vault URL
  • Enter the Vault URL of your Hashicorp Vault instance. It should follow this form https://<instance_name>.<company_name>.com:123.
    • instance_name

    • The name of your HashiCorp Vault instance.

    • company_name

    • The name of your organization.

5
  • Namespace

  • Optional. The name of the namespace that contains the secret(s) you plan to use in Workato. Namespaces (opens new window) are a set of features that enable you to define granular control and secrets management within your organization.

    In our example, we grant Workato access to the admin/HR namespace.

6
  • AppRole name
  • The AppRole you plan to use. An AppRole is a set of Vault policies and login constraints that determines which secrets you can access.

# Step 4: Obtain the AppRole ID and AppRole Secret ID from your HashiCorp Vault instance

AppRole is a login credential split into two parts- the AppRole ID and AppRole Secret ID. You must obtain both to authenticate to Workato. The AppRole ID can be considered similar to a username- its value remains constant and associated with its corresponding AppRole. On the contrary, the AppRole Secret ID is similar to a password or unique key and you can prompt HashiCorp Vault to refresh this credential, if needed.

1

In HashiCorp Vault click >_ to open the control panel.

Command iconOpen the control panel

2

Enter the following command:

vault read auth/<approle_name>/role/<role_name>/role-id
  • approle_name

  • The AppRole you have configured in HashiCorp Vault.

  • role_name

  • The name of the role (Workato) you plan to connect to.

Example:

vault read auth/workato_approle/role/workato/role-id
3

HashiCorp Vault returns the AppRole ID unique to your AppRole:

Key     Value                               
role_id 12a3bc45-6de7-8910-11fg-h4ij12XXXXXX
4

Copy and paste this value into the AppRole ID field in Workato.

5

Obtain the AppRole Secret ID by entering the following command to the control panel in HashiCorp Vault:

vault write -force auth/<approle_name>/role/<role_name>/secret-id

Example:

vault write -force auth/workato_approle/role/workato/secret-id
6

HashiCorp Vault generates an AppRole Secret ID for your AppRole:

Key                 Value
secret_id           ed0a642f-2acf-c2da-232f-1b2130XXXXXX
secret_id_accessor  a240a31f-270a-4765-64bd-94ba1fXXXXXX
7

Copy and paste the secret_id value into the AppRole Secret ID field in Workato.

8

Click Connect.

9

Workato displays the following message when you connect successfully.

Connection successfulConnection successful


Last updated: 1/2/2024, 7:18:05 PM