External vaults require secret names to follow specific conventions, often including prefixes like autologin_ and encoding certain special characters. These names must align with the system's username.

Agent auto-login naming conventions

The Control Room retrieves auto-login credentials based on the object naming convention within the external key vault. The Control Room searches for an object where the object name (the credential name in the external key vault) matches the Control Room username for which it is performing auto-login.

The prefix autologin_ is required as part of the naming convention for auto-login credentials for all the supported external key vaults. The name of the auto-login credential in the external key vault must contain autologin_ followed by the Control Room username. In some cases, certain key vaults have restrictions on the characters that can be used in credential object names. Additionally, to support how different use cases encode credentials, Automation 360 requires that certain characters be reserved or encoded.

The following table lists examples of the object naming conventions expected in the Control Room:

Control Room username Expected object name format
ABCD\user123 autologin_ABCD--user123
user123@rpa.abcd.com autologin_user123-40-rpa-2e-abcd-2e-com
ABCD\user123 autologin_ABCD\user123
user123@rpa.abcd.com autologin_user123@rpa.abcd.com
john autologin_john
Note: For On-Premises customers using AD authentication, you must format auto-login usernames using the UPN format or domain\username postfix.

For auto-login credentials, keep these in mind:

  • The object name in the external key vault must contain autologin_ as a prefix.
  • The auto-login credential names must map to the Control Room username (login ID) for the credential being retrieved.

    Some external key vaults have usage restrictions of certain characters, such as backslash (\) and ampersand (@) in the secret name (object name), and restrictions on how special characters are interpreted within API calls. If the user ID contains special characters, then you must encode the secret name (object name) in the external key vault using ASCII code character substitutions, as listed in the following table.

This character Changes to this ASCII code character substitution
\ (backslash) --
- (dash) -2d-
_ (underscore) -5f-
@ (ampersand) -40-
. (period) -2e-
Note: Except for the backslash being mapped to double dashes, the dash, period, underscore, and ampersand are mapped using their ASCII code bracketed in dashes.

Agent automation naming conventions

Agent automation credentials are credentials retrieved by the automation during runtime and used by the automation bot to authenticate with applications. Automation credentials retrieved from external key vaults are mapped in the Automation Anywhere Credential Vault using the External Key Vault option when configuring lockers and credentials.

The Automation Anywhere locker is mapped to either of the following:

  • Safe Name (CyberArk)
  • Secret Name Prefix (AWS, Azure, and HashiCorp)

A credential is mapped to either of the following:

  • An Object Name (CyberArk)
  • A Secret Name body (AWS, Azure, and HashiCorp)
Note: You can map any Automation Anywhere locker to any CyberArk Safe Name. The Safe Names used to map Automation Credentials should be distinct from the Safe Name used for auto-login.

To support the Automation Anywhere user-defined credentials functionality, you can create credentials using a Control Room_username postfix because these credentials are retrieved based on the user context of the running bot. If you do not create user-defined credentials, then the automation bot credential retrieval process retrieves the system credential.

Note: For On-Premises customers using AD authentication, you must format Agent automation usernames using the UPN format or domain\username postfix.

External key vaults prohibit different special characters in secret names. As a result, you must encode some characters in the credential (secret) name in the external key vault based the type of external key vault (CyberArk, AWS, and Azure) you are using and its specific requirements.

HashiCorp secret naming convention

By default, the Control Room integration with HashiCorp allows the following characters without encoding:
  • Uppercase characters (A–Z)
  • Lowercase characters (a–z)
  • Numerals (0–9)
  • Special characters (+=)

For other special character, the secret name should have the ASCII encoded value for the special character. For example, an underscore character (_) must be used as -5f-.

On-Premises deployments: To override the default characters encoded by the Control Room, add the following property and regex value in the keyvault.properties file located in the Automation Anywhere configuration directory. For example, use the following expression if you do not want to encode special characters:name.encoding.characters.allowed.regex.hashicorp=^[A-Za-z0-9/_+=.@-]+$.