HashiCorp Vault integration

You can integrate Automation 360 to retrieve credentials from the HashiCorp Vault. The credentials reside in the HashiCorp Vault where you can manage, rotate, and synchronize them.

Note: The HashiCorp mark and logo are trademarks or registered trademarks of HashiCorp, Inc. and are used for identification purposes only.

Note: No additional Automation Anywhere license is required to integrate with the HashiCorp Vault or use the HashiCorp APIs.

You integrate the Control Room by connecting it to the HashiCorp Vault through the HashiCorp HTTP APIs.

The following table lists the features supported by the different deployment types:

Feature Cloud On-Premises
Agent automation credentials Supported Supported
Agent auto-login credentials Supported Supported
Bootstrap and system credentials Not supported Supported

You can integrate the Control Room with the HashiCorp Vault using either of these deployments:

  • Cloud

    The following diagram shows a Cloud deployment where the Control Room is hosted on the AAI Cloud:HashiCorp cloud deployment

  • On-Premises

    For On-Premises deployments, you deploy the following:

    • Control Room as software within your customer environment.
    • Bot Agent within your customer environment where automations run and access customer applications.
    Note: You can also connect your On-Premises Control Room to HashiCorp Cloud via the internet.

HashiCorp On-Premises deployment

HashiCorp Vault integration requirements

  • HashiCorp service should be accessible from the Control Room.
  • The HashiCorp external key vault must be reachable from the Cloud Control Room through the network perimeter firewall rules. For external firewall rules configuration details, see Control Room IP addresses for external integrations.
  • Ensure that you have the following values configured in the HashiCorp Vault because you will use these values when you configure the vault in the Control Room. For information on how to configure these values in HashiCorp, see AppRole Auth Method.
    Note: For On-Premises deployments, you can configure the external key vault settings during installation or with the key vault utility post-installation. For more information, see the following topics:
    Field name Description
    Vault URL Specifies the HashiCorp vault URL. For example: https://<host> or https://<host or IP>:<port>
    Role ID Specifies the RoleID of the configured HashiCorp server. For example: 675a50e7-cfe0-be76-e35f-49ec009731ea. See AppRole Pull Authentication.
    Role Name Specifies the role name of the configured HashiCorp server. For example: jenkins. See AppRole Pull Authentication.
    Secret ID Specifies the SecretID of the configured HashiCorp. For example: ed0a642f-2acf-c2da-232f-1b21300d5f29. See AppRole Pull Authentication.
    Secrets Engine Path

    Specifies the key vault secrets engine path.

    The path is set to v1/secret/data by default. You can change this path if your kv secrets engine path is different. This path is case-sensitive. For example, V1/secret/data and V1/SECRET/DATA are considered as two separate paths when they are active. Ensure that you have moved or re-created the secrets under the correct secret engine path.

    Note: Ensure that you have granted read permission to the role name of the configured HashiCorp server to access the kv secrets engine path.
    Namespace (Optional) Specifies the namespace for the organization (tenant). For example: tenant1.
    Optional Certificate Upload the HashiCorp server public certificate to the Control Room. The certificate must be in the PEM format (.pem or .cer). For example: C:\John\certs\hashicorpserver.pem.

Install HashiCorp Vault

You must install and configure the HashiCorp Vault. See HCP Vault Quick Start.

Use AppRole in HashiCorp Vault

AppRole is an authentication method used in the HashiCorp Vault for applications to interact with the vault. AppRole uses the following values for authentication:

  • RoleID: A unique identifier for AppRole. You can use the Role ID with any number of instances of an application.
  • SecretID: A randomly generated value that is used to authenticate the AppRole. The secret ID is intended for a single instance of an application, is short-lived, and can be used by authorized applications only.
    Important: We recommend that you do not share this value.
  • Role name: Roles are listed by the role name.
  • Namespace: Allows you to create groups of secrets and apply policies to those namespaces to ensure that each tenant can only access the secrets they have permission to.

For information on how to configure AppRole, see AppRole Auth Method.

Import server certificate

In On-Premises deployments, you can import individual server certificates into the truststore. However, we recommend that you import the issuing Certificate Authority (CA) certificate. For more information, see Import HTTPS SSL, intermediate, and CA certificates.

  1. The client (Automation 360 Control Room) sends a request to the HashiCorp Vault (protected resource).
  2. The server then responds by sending a certificate back to the client.
  3. The Control Room verifies the certificate sent by the HashiCorp server by validating it against the trusted server certification information stored in the public part of the Control Room truststore.
  4. Both parties (client and server) gain access to the protected resources if the certificates pass validation based on the following:
    • The Control Room must trust the certificate on the HashiCorp server
    • The Subject field in the certificate matches the Fully Qualified Domain Name (DNS Name) of the calling system.
    • The certificate has not expired.

HashiCorp HTTP API configuration requirements

You must have network connectivity between the Control Room and the HashiCorp server. The Control Room is connected to the HashiCorp Vault through the HashiCorp HTTP APIs for both On-Premises or Cloud deployments.

To use the HashiCorp API, you must set these required parameters:

  • Vault URL
  • Role ID
  • Role Name
  • Secret ID
  • Secrets Engine Path
  • Namespace (optional)
  • Optional Certificate

Review HashiCorp credential terminology and identifiers

HashiCorp and Automation Anywhere use different terminology to describe and identify credentials:

Description HashiCorp Automation Anywhere
Where credentials are stored secrets credentials
  • Credentials in HashiCorp are stored as secrets.
  • Credentials in Automation Anywhere are stored in lockers, where each locker has access controls for Control Room users.
For database, service account, SMTP, and AD credentials, the key vault secret data should use the following format:
  • username: john
  • password: 2zR%#sX#g
For automation, the key vault secret data should use the following format:
  • email: john@email.com
  • passcode: my-long-passcode

HashiCorp secret ID rotation

The Control Room runs a scheduled job to proactively rotate the HashiCorp secret ID for a tenant. This process ensures that the automation involving key vault credentials runs uninterruptedly. By default, the secret ID rotation frequency is every hour. The secret ID is changed based on the secret ID's expiration time. You can change the secret ID when two-thirds of the secret ID has expired.

If the HashiCorp secret ID rotation fails, you can manually change the secret ID using the following Cloud or On-Premises procedures: