Integrating external key vault with Control Room

Automation Anywhere Control Room supports these external key vaults: CyberArk Password Vault, AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault.

Use cases

The following use cases are supported:

Control Room bootstrap: Retrieval of credentials used by the Control Room to authenticate to supporting services such as database and Control Room software service account.
Control Room system: Retrieval of credentials used by the Control Room for Active Directory (AD) and email (SMTP) integration.
Agent auto-login: Retrieval of credentials used by the RPA platform to launch automations on designated Automation 360 Bot Agent devices.
Agent automation: Retrieval of credentials that the automation (bot) uses during runtime to perform authentications to the applications that are being automated.

External key vault uses cases in Automation 360

Plan your integration

Before you integrate your external key vault with the Automation 360 Control Room, you need to develop an overall external key vault strategy.

The answers to these questions will help determine the integration requirements for the external key vault.

What type of Automation 360 Control Room deployment do you have: On-Premises or Cloud?

On-Premises: The Control Room and external key vault are hosted at the customer's site and environment.
The external key vaults might contain these external key vaults hosted within the customer site (customer-controlled datacenter or environment):
- CyberArk Password Vault – Customer On-Premises environment
- AWS Secrets Manager – Customer AWS environment
- Azure Key Vault – Customer Azure environment
- HashiCorp Vault – Customer HashiCorp environment
You can configure the external key vault connection during initial installation or post-installation using the key vault utility.
Cloud: The Control Room is hosted on the Automation 360 Cloud environment and the external key vault is hosted within the customer site (where the customer-controlled datacenter is either On-Premises or in a Cloud environment such as AWS):

The key vault in the customer network requires connection to the Automation 360 Cloud Control Room. You configure the connection to the external key vault from the Automation 360 user interface. Customer network perimeter configuration is required.

What type of third-party external key vault do you have?

CyberArk Password Vault, AWS Secret Manager, Azure Key Vault, or HashiCorp Vault.

Each external key vault has their own specific requirements. Review all configuration requirements with RPA and external key vault administrators before starting the integration.

What type of credentials do you need to retrieve from the external key vault based on the supported use cases?

By integrating the Automation 360 Control Room with your external key vault, you can retrieve credentials that support these use cases:


Use case	Credentials	Supported deployment	Credential caching	Credential rotation
Control Room bootstrap	Used to authenticate the database and (optionally) start the Control Room services (Service account)	On-Premises only	Caches the retrieved values	You should rotate the database credential during scheduled downtimes
Control Room system	Used to authenticate to Active Directory (AD), Service account, and SMTP	On-Premises only	Caches the retrieved values	You should rotate the AD, Service account, and SMTP credentials during scheduled downtimes
Agent auto-login	Used by Bot Agent to perform auto-login on a Bot Agent device before launching an automation	On-Premises and Cloud	Does not cache values from external key vault	Always retrieves the latest available credential rotated in the external key vault
Agent automation	Used by the automation to authenticate to the applications being automated	On-Premises and Cloud	Does not cache values from the external key vault	Always retrieves the latest available credential rotated in the external key vault

Coordinate with external key vault admin team

To ensure a productive, efficient, and rapid integration with the external key vault, you must coordinate with the external key vault administration team and exchange the technical requirements of the RPA platform. By carefully planning and coordinating with the external key vault administration team, you can quickly integrate the Automation Anywhere Control Room with the external key vault and avoid time-consuming troubleshooting issues.

We suggest you follow these guidelines to structure your integration process:

Review the supported credential use cases to determine which credentials the RPA platform requires to retrieve from the external key vault.
Schedule a kick-off meeting with the external key vault administration team to exchange information for these details:
- Which key vault to use?
- Which use cases to configure?
- What are the credential naming conventions required by the RPA platform?
- How are the credentials configured and updated on the external key vault?
- Does the external key vault have multiple instances (multiple instances of the external key vault can be used for different Automation Anywhere Control Room instances)?
- Who are the designated contacts for the RPA platform and key vault administration?
Review the configuration requirements for the Control Room:
- Are you installing a new Control Room with key vault integration?
  If so, then review the installation procedure for the external key vault integration.
- Are you configuring an existing Control Room to use external key vault integration for the first time?
  If so, then review the key vault utility usage procedure to configure key vault integration post-installation.
- Is the Control Room an Automation 360 Cloud Control Room that will connect to an on-premises key vault?
  If so, then you must coordinate with your IT networking team to configure connectivity between the Cloud Control Room and your internal network.
- Review the external key vault configuration procedure and note all integration settings requirements:
  - Key vault configuration requirements to configure on the external key vault before integration
  - Control Room operating system configuration
  - Authentication method that the Control Room will use to connect to the external key vault
Schedule integration meetings to coordinate these configuration and set up tasks for the Control Room and external key vault administrators:
- Configuration of the key vault connection
- Configuration of each use case
- Testing of each use case
Note: These integration meetings should be ongoing until you have configured and tested all use cases.
Add the external key vault integration to regular IT cadence meetings to monitor the operation of the Control Room and the external key vault, specifically credential rotation coordination.