Configure HashiCorp Vault Integration

This feature is currently in public beta. Functionality and documentation may change.

Secret store integrations allow you to use your existing third-party secret stores with strongDM. Your credentials are stored in a tool that is controlled by you, and those credentials are never transmitted to strongDM in any form. If you would like to learn more about how this integration works, and why you might wish to use it, please read the Secret Stores Reference.

This guide will walk you through how to integrate HashiCorp Vault with strongDM, and how to use it to connect to resources.


  • a running Vault server (Vault Installation Guide)
  • credentials to some of your resources, stored in the Vault instance
  • correct paths to the credentials

Authenticating to Vault

strongDM currently supports two authentication methods to enable your relay server to authorize to Vault: Token-based Authentication and TLS Certificates.

strongDM recommends TLS Certificate-based authentication for Vault secret stores. Token-based authentication may be a good resource for testing and quick implementation, but it is inherently less secure.

Token-based authentication

Set the VAULT_TOKEN environment variables to allow the relay to authenticate with Vault.

  1. Get a Token for Vault.
  2. Set the necessary environment variable on your relay server (VAULT_TOKEN). Edit the file /etc/sysconfig/sdm-proxy (unless you have moved or renamed your sdm-proxy file) and add the following line, substituting your token:
  3. Restart the sdm-proxy service (with something like sudo systemctl restart sdm-proxy, depending on your distribution).

TLS certificate-based authentication

Follow the Vault documentation regarding Certificate authentication with Vault.

When you install the TLS Certificates on the relay server, place them in a directory that is accessible to the sdm relay service. Save the file paths for use later. Note that the policy for the certificate used needs to allow access to the secret paths.

Configure the Secret Store with the Admin UI

Once you have your Vault set up, credentials stored, and your relay server able to access said credentials, it's time to register the Vault with strongDM.

  1. In the Admin UI, go to the Settings page, and click the Secret Stores tab.
  2. Click the "add secret store" button to reveal the Add Secret Store form.
    Secret Stores Settings
    Secret Stores Settings
  3. Enter a Display Name, and set the appropriate Secret Store Type.
  4. Enter the appropriate authorization info:
    • for Token-based authentication, either the address
    • for Certificate-based authentication, enter the path to the certificates stored on your relay server

If you've configured the relay server correctly for secret store access and authorization, you will see the green online indicator.

Test access to the resource

Now, create a resource that uses the secret store, assign it to a user, and verify that you can connect.

  1. In the Admin UI, add a new resource such as a server or datasource and choose the Vault Secret Store type.
  2. Fill out the information for a resource whose credentials you have stored in your Vault secret store.
  3. Select the Vault Secrets Store you created for the Secret Store field, then fill in the path to the secrets that you've stored in your secret store.
    1. Vault accepts plaintext secrets, which you would use to store one credential field per secret, or JSON secrets, which could include many credential values with different keys. If using JSON, add the key along with the path to the credential, such as example-secret?key=username. Note that Vault will even allow the direct import of JSON, such as: vault kv put secret/foo @data.json.
    2. It is preferred that certificates be Base64-encoded. If the secret you are storing is a certificate, you should Base64-encode it, and then enter the path as follows when setting up a resource to use it: example-secret?key=certificate&encoding=base64.
  4. Submit the form.
  5. Go to Users, and assign a user access to the resource.
  6. Log in as that user in your local GUI (or have the user do so, if not yours) and verify that the resource exists, test a connection, and execute a query.

Congratulations, you've connected to a resource using secret stores.

Installation — Previous
Configure GCP Secret Manager Integration
Next — Admin UI Guide
Admin UI Overview