Configure external key vault integration
You can integrate the Control Room with third-party key vault technology, including AWS Secrets Manager, Azure Key Vault, and CyberArk.
Prerequisites
- AWS Secrets Manager
- Region
- Each AWS Region is designed to be isolated from the other AWS Regions.
- AWS Key
- Provide the AWS access key. For On-Premises installations, this key must also be an environment variable configured on the Control Room Server.
- AWS Secret Key
- Secret access key. AWS does not allow retrieval of a secret access key after its initial creation. For On-Premises installations, this key must also be an environment variable configured on the Control Room Server.
- AWS Session Token
- On-Premises installations require the session token to be an environment variable configured on the Control Room Server.
- Credential Identifiers to be used during installation
-
- Database credentials
- Service Account credentials
- CyberArk
- Central Credential Provider API URL
- The CyberArk CCP URL endpoint on the CyberArk server.
- CyberArk Application ID
- The CyberArk issued Application ID.
- Certificate used to authenticate to CyberArk
- Control Room Client Certificate trusted by CyberArk AAM server. The certificate issued for this purpose will generally be requested from the administrative team within the organization that manages the internal Certificate Authority (CA) for the RPA environment. This certificate will be distributed in a passphrase protected file, and you will need to enter the passphrase to authenticate.
- Optional Certificate
- You can optionally load the CyberArk AIM Server certificate to the Control Room trust store here to make sure that the Control Room will trust the CyberArk server.
- Credential Identifiers to be used during installation
-
- Safe and Object Name
- Database credentials
- Service Account Credential
- Azure
- Vault URL
- The address for the Azure server.
- Client ID
- The Azure Client ID.
- Client Secret
- Key supplied by Azure to be paired with the Directory (Tenant) ID and User ID.
- Tenant ID
- The Azure Tenant ID.
The following illustration shows the default options:

The following information is required for configuring CyberArk integration:
Credentials used by the platform for services including database connections, Active Directory integration, and Simple Mail Transport Protocol (SMTP) can be configured for retrieval from the integrated external key vault.