Vault
Configure the Vault ServiceNow Credential Resolver
MID server properties
The following properties are supported by the Vault Credential Resolver:
mid.external_credentials.vault.address(string: "")- Address of Vault Agent as resolveable by the MID server. For example, if Vault Agent is on the same server as the MID server it could behttps://127.0.0.1:8200.mid.external_credentials.vault.ca(string: "")- The CA certificate to trust for TLS in PEM format. If unset, the system's trusted CAs will be used.mid.external_credentials.vault.tls_skip_verify(string: "")- When set to true, skips verification of the Vault server TLS certificiate. Setting this to true is not recommended for production.
Configuring discovery credentials
To consume Vault credentials from your MID server, you will need to:
- Create a secret in Vault
- Configure the resolver to use that secret
Creating a secret in Vault
The credential resolver supports reading credentials from the following secret engines:
When creating KV secrets, you must use the following keys for each component to ensure it is correctly mapped to ServiceNow's credential fields:
| Key | Description | Supported aliases |
|---|---|---|
| username | The username | access_key |
| password | The password | secret_key, current_password |
| private_key | The private SSH key | |
| passphrase | The passphrase for the private SSH key |
Most ServiceNow credential types will expect at least a username and either a password or a private key. To help surface errors early, the credential resolver validates that a username and password are present for:
- aws
- basic
- jdbc
- jms
- ssh_password
- vmware
- windows
The credential resolver expects the following types to specify at least a username and a private key:
- api_key
- cfg_chef_credentials
- infoblox
- sn_cfg_ansible
- sn_disco_certmgmt_certificate_ca
- ssh_private_key
For SNMPv3 credentials, the credential resolver can accept up to five values:
- username
- auth-protocol
- auth-key
- privacy-protocol
- privacy-key
Depending on the configuration of the SNMP endpoint, the username at least will always be required. See below for different SNMP endpoint configurations:
| Level | Authentication | Encryption | What Happens |
|---|---|---|---|
| noAuthNoPriv | Username | None | Username match for auth |
| authNoPriv | MD5 or SHA | None | Auth based on HMAC-MD5 or HMAC-SHA algorithms |
| authPriv | MD5 or SHA | DES | Auth based on HMAC-MD5 or HMAC-SHA algorithms; provides DES 56-bit encryption based on (CBC)-DES (DES-56) |
Configuring the resolver to use a secret
In the ServiceNow UI:
- Navigate to "Discovery - Credentials → New".
- Choose a type from the list.
- Select "External credential store".
- Provide a fully qualified collection name (FQCN):
- Xanadu (Q4-2024) or newer: use
com.snc.discovery.CredentialResolver - Versions prior to Xanadu (Q4-2024): leave blank or use "None"
- Xanadu (Q4-2024) or newer: use
- Provide a meaningful name for the resolver.
- Set "Credential ID" to the
ReadSecretVersion endpoint
of your secrets plugin and credential. For example, the endpoint
for a secret stored on the path
sshunder a KV v2 secret engine mounted atsecretis/secret/data/ssh. - Click "Test credential" then select a MID server and target to test your configuration.