Overview

This guide explains how to configure external secret vaults to securely store sensitive credentials for Veza integrations. Secret vaults enable customers to store sensitive information, such as usernames, passwords, authentication tokens, and certificates, in their private network environments rather than storing them in Veza.

When using secrets vaults, Veza stores only the secret identifiers (names or IDs) rather than the actual credential values. This approach ensures sensitive information never leaves your private network while allowing Veza's discovery and extraction processes to access required credentials dynamically.

How it works

The Secrets Vaults feature follows a secure retrieval flow:

The integration works as follows:

1. Your organization's vault credentials are stored exclusively on the external Insight Point in your environment. Veza never has access to these credentials outside of the discovery/extractor processes that run in your environment.

2. Veza stores only the references (IDs/names) to the secrets in your vault, not the actual secret values themselves.

3. When an integration needs to authenticate during discovery or extraction, Veza uses the vault credentials to dynamically fetch the required secret from your external vault.

4. After the discovery or extraction process completes, all secrets are discarded from memory. Veza never stores the actual secret values in its database.

You can revoke Veza's access to your secrets at any time by disabling the Insight Point or cutting off its connection to Veza's network.

Current limitations

In the current release, Secrets Vaults has the following limitations:

• Requires an external Insight Point

• Supports Azure Key Vault as the vault provider type

• Supported integrations:

  • Active Directory

  • Okta

  • LDAP

• Operates at the provider level only (datasource-level secrets are not yet supported)

• Requires all secret fields (username, password, etc.) to be stored as a single external secret in JSON format

Before you start

Before you configure secrets vaults, ensure:

• You have an external insight point deployed and configured

• You have an Azure Key Vault instance accessible from your Insight Point

• You have appropriate permissions to create and manage secrets in Azure Key Vault

• The feature flag INTEG_SECRETS_VAULT_EAC_47720 is enabled for your tenant

• Network connectivity exists between your Insight Point and Azure Key Vault

Configure vault access on Insight Point

1. Create a secrets vault configuration file on your external insight point.

   The configuration file must be in YAML format and contain the Azure credentials needed to ACCESS your Key Vault. These credentials allow the Insight Point to authenticate with Azure Key Vault to retrieve the actual integration secrets.

   Copy

   vaults:
     - name: 'MyVault'
       vault_provider: 'azure_key_vault'
       auth_type: 'client_secret'
       auth_config:
         vault_uri: 'https://my-vault.vault.azure.net/'
         tenant_id: '11111111-2222-3333-4444-555555555555'
         client_id: 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee'
         client_secret: 'my-secret'

2. Set the environment variable for the configuration file path.

   Export the path to your secrets vault configuration file:

   Copy

   export SECRETS_VAULTS_CONFIG_PATH="/dir1/dir2/dir3/secrets_vaults_config.yaml"

   The Insight Point will monitor the file for changes. The file can be updated without requiring an Insight Point restart.

3. Restart your external insight point.

   The insight point will read the vault configuration on startup and establish connectivity to your Azure Key Vault.

Set up Azure AD application

To allow Veza's Insight Point to authenticate with Azure Key Vault, create an application registration in Azure Active Directory:

1. Navigate to Azure Active Directory > App registrations in the Azure portal.

2. Click New registration.

3. Name the application (e.g., "Veza Secrets Vault Access").

4. Select appropriate supported account types (usually single tenant).

5. Click Register.

6. Note the Application (client) ID and Directory (tenant) ID for your configuration.

7. Navigate to Certificates & secrets.

8. Create a new client secret and note the value.

   This value will only be shown once, so copy it immediately.

9. Navigate to your Azure Key Vault resource.

10. Under Access policies, add a policy for your new application with Get and List permissions for secrets.

Create external secrets in Azure Key Vault

1. Navigate to your Azure Key Vault in the Azure portal.

2. Create a new secret for your integration credentials.

   Select Secrets from the left navigation, then click Generate/Import.

3. Enter the secret name and value.

   The secret name will serve as the identifier for the credentials in Veza. The secret value must be a JSON object containing all required credential fields for your integration type.

4. Format the secret value according to your integration type.

   Active Directory:

   Copy

   {
     "username": "domain\\serviceaccount",
     "password": "secretpassword",
     "ldaps_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----"
   }

   Okta (OAuth):

   Copy

   {
     "client_id": "0oa1a2b3c4d5e6f7g8h9",
     "private_key_id": "kid_value",
     "private_key": "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----"
   }

   Okta (API Token):

   Copy

   {
     "token": "00A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6Q7r8S9"
   }

   LDAP:

   Copy

   {
     "bind_dn_or_user": "cn=serviceaccount,ou=service,dc=example,dc=com",
     "bind_password": "secretpassword",
     "ca_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----"
   }

5. Save the secret.

   Azure Key Vault will generate a unique identifier for the secret that you'll reference when configuring your Veza integration.

Configure provider with secrets vault

1. Navigate to the Veza integrations page.

2. Create a new integration for your supported provider type.

   Secrets vaults are currently supported for Active Directory, Okta, and LDAP integrations.

3. Select your external insight point.

   Choose the insight point where you configured the vault credentials.

4. Enable secrets vault authentication.

   When the Insight Point is configured with external secrets, you'll see a Secrets Vault selection. Select External Secrets Vault instead of Veza Vault.

5. Configure the vault settings.

   • Vault Name: Select your vault from the dropdown (e.g., "MyVault")

   • Secret Name: Enter the name of the secret you created in Azure Key Vault

   Standard credential fields (username, password, etc.) will be hidden when the secrets vault is enabled.

6. Complete the provider configuration and save.

7. Test the connection.

   Initiate a discovery and extraction run to verify that secrets are being fetched correctly from Azure Key Vault and that the provider connects successfully to the target system.

Verification and troubleshooting

After configuring the provider with Secrets Vault:

1. Check the extraction logs to ensure the secrets are being fetched correctly from Azure Key Vault.

2. Verify that the provider connects successfully to the target system.

3. If connection fails, verify:

   • Azure Key Vault access policies are correctly configured

   • The secret JSON format matches the expected structure for your integration type

   • Network connectivity exists between the Insight Point and Azure Key Vault

   • The vault configuration file path is set correctly on the Insight Point

See also

Overview

Azure Key Vault is Microsoft's cloud service for securely storing and accessing secrets. This guide covers the Azure-specific configuration requirements for integrating with Veza's Secrets Vaults feature.

Prerequisites

• An Azure account with permission to create and manage Key Vaults

• A Microsoft Azure subscription with Key Vault service enabled

• Access to create and manage application credentials in Azure Active Directory

Azure Key Vault setup

Create or configure Key Vault

1. Navigate to the Azure portal and search for "Key vaults".

2. Create a new Key Vault or select an existing one.

   Ensure the Key Vault is accessible from your network where the Insight Point is deployed.

3. Note the Vault URI for your configuration.

   This will be in the format: https://your-vault-name.vault.azure.net/

Configure access control

Azure Key Vault supports two authorization models: Azure RBAC (recommended) and Access Policies (legacy). Microsoft recommends using Azure RBAC for new deployments.

Option 1: Azure RBAC (Recommended)

For new Key Vaults or those migrated to RBAC:

1. Ensure your Key Vault uses the RBAC permission model:

   Copy

   az keyvault update --name <vault-name> --resource-group <resource-group-name> --enable-rbac-authorization true

2. Navigate to your Key Vault resource.

3. Select Access control (IAM) from the left navigation.

4. Click + Add > Add role assignment.

5. Configure the role assignment:

   • Role: "Key Vault Secrets User" (for read access to secrets)

   • Assign access to: "User, group, or service principal"

   • Select: Choose the Azure AD application you created for Veza

6. Click Save to apply the role assignment.

Option 2: Access Policies (Legacy)

For existing Key Vaults using access policies:

1. Navigate to your Key Vault resource.

2. Select Access policies from the left navigation.

3. Click + Add Access Policy.

4. Configure the following permissions:

   • Secret permissions: Get, List

   • Select principal: Choose the Azure AD application you created for Veza

   • Authorized application: Leave blank unless using specific application restrictions

5. Click Add and then Save to apply the policy.

Azure Active Directory application setup

Set up Azure AD application

For secrets vault access, your app registration needs Key Vault permissions. If you need to create a new app registration specifically for secrets vault access:

1. Navigate to Azure Active Directory > App registrations.

2. Click New registration.

3. Configure the application:

   • Name: "Veza Secrets Vault Access" (or your preferred name)

   • Supported account types: Single tenant (recommended)

   • Redirect URI: Leave blank for this use case

4. Click Register.

5. Record the following values from the Overview page:

   • Application (client) ID

   • Directory (tenant) ID

Generate client secret

1. From your application registration, navigate to Certificates & secrets.

2. Click New client secret.

3. Configure the secret:

   • Description: "Veza Insight Point Access"

   • Expires: Choose an appropriate expiration based on your security policies

4. Click Add.

5. Important: Copy the secret Value immediately.

   This value will only be displayed once and cannot be retrieved later.

Verify permissions

Ensure your application has the necessary permissions:

1. Navigate to API permissions in your application registration.

2. Verify the application has appropriate Microsoft Graph permissions if needed for your environment.

3. If using managed identities, ensure the identity has the required Key Vault access policies configured.

Secret format specifications

Active Directory secrets

For Active Directory integrations, store credentials in this JSON format:

{
  "username": "DOMAIN\\serviceaccount",
  "password": "your_secure_password",
  "ldaps_certificate": "-----BEGIN CERTIFICATE-----\nMIIEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----"
}

Field requirements:

• username: Domain-qualified service account with appropriate AD permissions

• password: Secure password for the service account

• ldaps_certificate: Base64-encoded LDAPS certificate (optional, for secure LDAP connections)

Okta OAuth secrets

For Okta integrations using OAuth authentication:

{
  "client_id": "0oa1a2b3c4d5e6f7g8h9",
  "private_key_id": "your_key_id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END PRIVATE KEY-----"
}

Field requirements:

• client_id: OAuth client ID from Okta application configuration

• private_key_id: Key ID associated with the private key

• private_key: RSA private key in PEM format

Okta API Token secrets

For Okta integrations using API token authentication:

{
  "token": "00A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6Q7r8S9"
}

Field requirements:

• token: Valid Okta API token with appropriate permissions

LDAP secrets

For LDAP integrations:

{
  "bind_dn_or_user": "cn=serviceaccount,ou=service,dc=example,dc=com",
  "bind_password": "your_secure_password",
  "ca_certificate": "-----BEGIN CERTIFICATE-----\nMIIEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----"
}

Field requirements:

• bind_dn_or_user: Distinguished name or username for LDAP binding

• bind_password: Password for the bind account

• ca_certificate: CA certificate for secure LDAP connections (optional)

Security considerations

Network isolation

• Ensure your Key Vault is accessible from the Insight Point's network

• Consider using Azure Private Link for additional network isolation

• Implement network security groups (NSGs) to restrict Key Vault access

Access control

• Follow the principle of least privilege when configuring access policies

• Regularly rotate client secrets and API tokens

• Monitor Key Vault access logs for unusual activity

• Consider using Azure managed identities where possible

Certificate management

• Store certificates in PEM format within the JSON secret values

• Ensure certificates are properly escaped for JSON formatting

• Monitor certificate expiration dates and plan for rotation

Troubleshooting

Authentication issues

Problem: "Access denied" errors when Insight Point attempts to retrieve secrets

Solutions:

1. Verify the client ID and secret are correct in the vault configuration

2. Check that access policies include both "Get" and "List" permissions for secrets

3. Ensure the tenant ID matches your Azure AD tenant

4. Verify the application registration is in the correct tenant

Network connectivity issues

Problem: Connection timeouts when accessing Key Vault

Solutions:

1. Verify network connectivity from the Insight Point to Azure Key Vault endpoints

2. Check firewall rules and network security groups

3. Confirm the Key Vault URI is correct and accessible

4. Test connectivity using tools like curl or wget from the Insight Point

Secret format issues

Problem: Integration fails to authenticate with target systems

Solutions:

1. Verify JSON formatting is correct (no extra spaces, proper escaping)

2. Ensure field names match the expected format for your integration type

3. Validate that certificates are in proper PEM format

4. Check that credentials are valid for the target system

Configuration file issues

Problem: Vault configuration not loaded by Insight Point

Solutions:

1. Verify the SECRETS_VAULTS_CONFIG_PATH environment variable is set correctly

2. Check that the YAML file is properly formatted

3. Ensure the Insight Point process has read permissions for the configuration file

4. Review Insight Point logs for configuration parsing errors

See also