Secret Store Integration Settings
Last modified on August 10, 2022
Secret store integrations allow you to use your existing third-party secret stores with strongDM. Your credentials are stored in a tool that is controlled by you, and those credentials are never transmitted to strongDM in any form. If you would like to learn more about how this integration works and why you might wish to use it, please read the Secret Stores Reference.
Create a Secret Store
To integrate with a new Secret Store:
- In the Admin UI, go to Network > Secret Stores.
- Click the add secret store button.
- On the Add Secret Store form:
- Enter a Display Name.
- Select the Secret Store Type.
- Fill in any remaining fields shown for your type.
Credentials for authenticating to the secret store reside on your Gateway/Relay servers. To learn how to integrate a specific secret store provider with strongDM, read the configuration guides.
Once you’ve configured gateway servers to authenticate to the secret store, you can check its health on the Diagnostics tab.
In Settings > Credential Management, you can set Allow credentials to be stored in strongDM to No in order to require that all new resources use secret store integrations instead. Note that disabling this option does not affect existing resources (which will continue to function as they always have), only the creation of new ones.
Configure a Resource
Once your secret store integration is configured and you have set up authentication on your relay servers, you need to create resources that read their credentials from the secret store.
In the Admin UI, add a new resource, such as a Server or Datasource.
Fill in the fields as normal, but for the Secret Store field, choose your secret store.
Fill in the path to the username and password. Those paths may look something like
/path/to/credentials/db_password. If you’re using one credential with multiple key/value entries, the path may instead take the format of
/path/to/credentials?key=db_username. This format may vary between secret store providers and will be indicated in the placeholder text for each field.The healthcheck for the new resource depends on the credentials being loaded from the secret store. If they are not, it will not go green.
You’re done. The resource is ready to be used within strongDM.