Close
logodocs

Secret Store Integration Settings

This feature is currently in public beta. Functionality and documentation may change.

Secret store integrations allow you to use your existing third-party secret stores with strongDM. Your credentials are stored in a tool that is controlled by you, and those credentials are never transmitted to strongDM in any form. If you would like to learn more about how this integration works, and why you might wish to use it, please read the Secret Stores Reference.

Create a Secret Store

To integrate with a new Secret Store:

  1. In the Admin UI, go to the Settings page, and click the Secret Stores tab.
  2. Click the "add secret store" button to reveal the Add Secret Store form.
    Secret Stores Settings
    Secret Stores Settings
  3. Enter a Display Name.
  4. Select the Secret Store Type.

Connection Details

Credentials for authenticating to the secret store reside on your gateway/relay servers. To learn how to integrate a specific secret store provider with strongDM, read the configuration guides.

Once you've configured gateway servers to authenticate to the secret store, you can check its health on the diagnostics tab.

Other settings

Uncheck Allow credentials to be stored in strongDM to require that all new resources use secret store integrations instead. Note that disabling this option does not affect existing resources (which will continue to function as they always have), only the creation of new ones.

Configure a resource

Once your secret store integration is configured, and you have set up authentication on your relay servers, you need to create resources that read their credentials from the secret store.

  1. In the Admin UI, add a new resource such as a server or datasource.

  2. Fill in the fields as normal, but for the Secret Store field, choose your secret store.

  3. Fill in the path to the username and password. Those paths may look something like /path/to/credentials/db_username or /path/to/credentials/db_password. If you’re using one credential with multiple key/value entries, the path may instead take the format of /path/to/credentials?key=db_username. This format may vary between secret store providers, and will be indicated in the placeholder text for each field.

    The healthcheck for the new resource depends on the credentials being loaded from the secret store. If they are not, it will not go green.
  4. You're done. The resource is ready to be used within strongDM.

Previous
Use strongDM Logs
Next — Automation
Automation Overview