Secret Stores Settings
This feature is currently in closed-access beta. Functionality and documentation may change.
Secret Stores allow you to use your existing third-party secrets storage tool with strongDM. Your credentials are stored in a tool that is controlled by you, and those credentials are never transmitted to strongDM in any form. If you would like to learn more about how Secret Stores work, and why you might wish to use them, please read the Secret Stores Reference.
Create a Secret Store
To create a new Secret Store:
- In the Admin UI, go to the Settings page, and click the Secret Stores tab.
- Click the "add secret store" button to reveal the Add Secret Store form.
- Enter a Display Name.
- Select the Secret Store Type.
Credentials for authenticating to the secret store reside on your gateway/relay servers. For details on how to setup secret store credentials, use the appropriate guide:
Once you've configured gateway servers to authenticate to the secret store, you can check its health on the diagnostics tab.
Uncheck Allow credentials to be stored in strongDM to require that all new resources use Secret Stores. Note that disabling this option does not affect existing resources (which will continue to function as-is), only the creation of new ones.
Configure a resource
Once your secret store is configured, and you have set up authentication on your relay servers, you need to create resources that read their credentials from the secret store.
In the Admin UI, add a new resource such as a server or datasource.
Fill in the fields as normal, but for the Secret Store field, choose your Secret Store..
Fill in the path to the username and password. Those paths may look something like
/path/to/credentials/db_password. If you’re using one credential with multiple key/value entries, the path may instead take the format of
/path/to/credentials?key=db_username. This format may vary between types of Secret Stores, and will be indicated in the placeholder text for each field.The healthcheck for the new resource depends on the credentials being loaded from the secrets storage tool. If they are not, it will not go green.
You're done. The resource is ready to be used within strongDM.