Secrets Vaults

Overview

This guide explains how to configure external secret vaults to securely store sensitive credentials for Veza integrations. Secret vaults enable customers to store sensitive information, such as usernames, passwords, authentication tokens, and certificates, in their private network environments rather than storing them in Veza.

When using secrets vaults, Veza stores only the secret identifiers (names or IDs) rather than the actual credential values. This approach ensures sensitive information never leaves your private network while allowing Veza's discovery and extraction processes to access required credentials dynamically.

How it works

The Secrets Vaults feature follows a secure retrieval flow:

The integration works as follows:

1. Your organization's vault credentials are stored exclusively on the external Insight Point in your environment. Veza never has access to these credentials outside of the discovery/extractor processes that run in your environment.

2. Veza stores only the references (IDs/names) to the secrets in your vault, not the actual secret values themselves.

3. When an integration needs to authenticate during discovery or extraction, Veza uses the vault credentials to dynamically fetch the required secret from your external vault.

4. After the discovery or extraction process completes, all secrets are discarded from memory. Veza never stores the actual secret values in its database.

You can revoke Veza's access to your secrets at any time by disabling the Insight Point or cutting off its connection to Veza's network.

Current limitations

In the current release, Secrets Vaults has the following limitations:

• Requires an external Insight Point

• Supports Azure Key Vault as the vault provider type

• Supported integrations:

  • Active Directory

  • Okta

  • LDAP

• Operates at the provider level only (datasource-level secrets are not yet supported)

• Requires all secret fields (username, password, etc.) to be stored as a single external secret in JSON format

Before you start

Before you configure secrets vaults, ensure:

• You have an external insight point deployed and configured

• You have an Azure Key Vault instance accessible from your Insight Point

• You have appropriate permissions to create and manage secrets in Azure Key Vault

• The feature flag INTEG_SECRETS_VAULT_EAC_47720 is enabled for your tenant

• Network connectivity exists between your Insight Point and Azure Key Vault

Configure vault access on Insight Point

1. Create a secrets vault configuration file on your external insight point.

   The configuration file must be in YAML format and contain the Azure credentials needed to ACCESS your Key Vault. These credentials allow the Insight Point to authenticate with Azure Key Vault to retrieve the actual integration secrets.

   Copy

   vaults:
     - name: 'MyVault'
       vault_provider: 'azure_key_vault'
       auth_type: 'client_secret'
       auth_config:
         vault_uri: 'https://my-vault.vault.azure.net/'
         tenant_id: '11111111-2222-3333-4444-555555555555'
         client_id: 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee'
         client_secret: 'my-secret'

2. Set the environment variable for the configuration file path.

   Export the path to your secrets vault configuration file:

   Copy

   export SECRETS_VAULTS_CONFIG_PATH="/dir1/dir2/dir3/secrets_vaults_config.yaml"

   The Insight Point will monitor the file for changes. The file can be updated without requiring an Insight Point restart.

3. Restart your external insight point.

   The insight point will read the vault configuration on startup and establish connectivity to your Azure Key Vault.

Set up Azure AD application

To allow Veza's Insight Point to authenticate with Azure Key Vault, create an application registration in Azure Active Directory:

1. Navigate to Azure Active Directory > App registrations in the Azure portal.

2. Click New registration.

3. Name the application (e.g., "Veza Secrets Vault Access").

4. Select appropriate supported account types (usually single tenant).

5. Click Register.

6. Note the Application (client) ID and Directory (tenant) ID for your configuration.

7. Navigate to Certificates & secrets.

8. Create a new client secret and note the value.

   This value will only be shown once, so copy it immediately.

9. Navigate to your Azure Key Vault resource.

10. Under Access policies, add a policy for your new application with Get and List permissions for secrets.

Create external secrets in Azure Key Vault

1. Navigate to your Azure Key Vault in the Azure portal.

2. Create a new secret for your integration credentials.

   Select Secrets from the left navigation, then click Generate/Import.

3. Enter the secret name and value.

   The secret name will serve as the identifier for the credentials in Veza. The secret value must be a JSON object containing all required credential fields for your integration type.

4. Format the secret value according to your integration type.

   Active Directory:

   Copy

   {
     "username": "domain\\serviceaccount",
     "password": "secretpassword",
     "ldaps_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----"
   }

   Okta (OAuth):

   Copy

   {
     "client_id": "0oa1a2b3c4d5e6f7g8h9",
     "private_key_id": "kid_value",
     "private_key": "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----"
   }

   Okta (API Token):

   Copy

   {
     "token": "00A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6Q7r8S9"
   }

   LDAP:

   Copy

   {
     "bind_dn_or_user": "cn=serviceaccount,ou=service,dc=example,dc=com",
     "bind_password": "secretpassword",
     "ca_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----"
   }

5. Save the secret.

   Azure Key Vault will generate a unique identifier for the secret that you'll reference when configuring your Veza integration.

Configure provider with secrets vault

1. Navigate to the Veza integrations page.

2. Create a new integration for your supported provider type.

   Secrets vaults are currently supported for Active Directory, Okta, and LDAP integrations.

3. Select your external insight point.

   Choose the insight point where you configured the vault credentials.

4. Enable secrets vault authentication.

   When the Insight Point is configured with external secrets, you'll see a Secrets Vault selection. Select External Secrets Vault instead of Veza Vault.

5. Configure the vault settings.

   • Vault Name: Select your vault from the dropdown (e.g., "MyVault")

   • Secret Name: Enter the name of the secret you created in Azure Key Vault

   Standard credential fields (username, password, etc.) will be hidden when the secrets vault is enabled.

6. Complete the provider configuration and save.

7. Test the connection.

   Initiate a discovery and extraction run to verify that secrets are being fetched correctly from Azure Key Vault and that the provider connects successfully to the target system.

Verification and troubleshooting

After configuring the provider with Secrets Vault:

1. Check the extraction logs to ensure the secrets are being fetched correctly from Azure Key Vault.

2. Verify that the provider connects successfully to the target system.

3. If connection fails, verify:

   • Azure Key Vault access policies are correctly configured

   • The secret JSON format matches the expected structure for your integration type

   • Network connectivity exists between the Insight Point and Azure Key Vault

   • The vault configuration file path is set correctly on the Insight Point

See also