# Setting up HashiCorp Vault secrets engines for workspaces


Switching to workspace-specific secrets management causes all previously-configured external secret references to stop working.

# Prerequisites

To complete the steps in this guide, you must have the following:

  • In Workato:

    • An account with the Data Monitoring/Advanced Security & Compliance add-on. For more information, contact your Workato Customer Success Manager.
  • In HashiCorp Vault:

# Step 1: Select the scope for secrets management


Sign in to your Workato account.


Navigate to Settings > Secrets management.


In Scope, select the option “Set up secrets management for the entire workspace”.

Workato secrets management, selecting workspace scope

# Step 2: Select the secrets manager


Continuing from the previous step, in the field In the Which secrets manager do you want to use?, select HashiCorp Vault.

Hashicorp Vault secrets

# Step 3: Configure the following fields in Workato

Configure connectionConnect to HashiCorp Vault

  • Connection name
  • Name your HashiCorp Vault connection.
  • Connection type
  • If you want to connect using an on-premise group, select the group name from the picklist. Otherwise, to use a direct connection, select Cloud.
  • Authentication type
  • Select AppRole from the dropdown.
  • Vault URL
  • Enter the Vault URL of your Hashicorp Vault instance. It should follow this form https://<instance_name>.<company_name>.com:123.
    • instance_name

    • The name of your HashiCorp Vault instance.

    • company_name

    • The name of your organization.

  • Namespace

  • Optional. The name of the namespace that contains the secret(s) you plan to use in Workato. Namespaces (opens new window) are a set of features that enable you to define granular control and secrets management within your organization.

    In our example, we grant Workato access to the admin/HR namespace.

  • AppRole name
  • The AppRole you plan to use. An AppRole is a set of Vault policies and login constraints that determines which secrets you can access.

# Step 4: Obtain the AppRole ID and AppRole Secret ID from your HashiCorp Vault instance

AppRole is a login credential split into two parts- the AppRole ID and AppRole Secret ID. You must obtain both to authenticate to Workato. The AppRole ID can be considered similar to a username- its value remains constant and associated with its corresponding AppRole. On the contrary, the AppRole Secret ID is similar to a password or unique key and you can prompt HashiCorp Vault to refresh this credential, if needed.


In HashiCorp Vault click >_ to open the control panel.

Command iconOpen the control panel


Enter the following command:

vault read auth/<approle_name>/role/<role_name>/role-id
  • approle_name

  • The AppRole you have configured in HashiCorp Vault.

  • role_name

  • The name of the role (Workato) you plan to connect to.


vault read auth/workato_approle/role/workato/role-id

HashiCorp Vault returns the AppRole ID unique to your AppRole:

Key     Value                               
role_id 12a3bc45-6de7-8910-11fg-h4ij12XXXXXX

Copy and paste this value into the AppRole ID field in Workato.


Obtain the AppRole Secret ID by entering the following command to the control panel in HashiCorp Vault:

vault write -force auth/<approle_name>/role/<role_name>/secret-id


vault write -force auth/workato_approle/role/workato/secret-id

HashiCorp Vault generates an AppRole Secret ID for your AppRole:

Key                 Value
secret_id           ed0a642f-2acf-c2da-232f-1b2130XXXXXX
secret_id_accessor  a240a31f-270a-4765-64bd-94ba1fXXXXXX

Copy and paste the secret_id value into the AppRole Secret ID field in Workato.


Click Connect.


Workato displays the following message when you connect successfully.

Connection successfulConnection successful

Last updated: 1/2/2024, 7:18:05 PM