Vault
Configuring the Vault credential resolver
MID server properties
The following properties are supported by the Vault Credential Resolver:
mid.external_credentials.vault.address(string: "")- Address of Vault Agent as resolveable by the MID server. For example, if Vault Agent is on the same server as the MID server it could behttps://127.0.0.1:8200.mid.external_credentials.vault.ca(string: "")- The CA certificate to trust for TLS in PEM format. If unset, the system's trusted CAs will be used.mid.external_credentials.vault.tls_skip_verify(string: "")- When set to true, skips verification of the Vault server TLS certificiate. Setting this to true is not recommended for production.
Configuring discovery credentials
To consume Vault credentials from your MID server, you will need to:
- Create a secret in Vault
- Configure the resolver to use that secret
Creating a secret in Vault
The credential resolver supports reading credentials from the following secret engines:
- Active Directory
- [AD/OpenLDAP] (/vault/docs/secrets/ldap)
- AWS
- K/V v1
- K/V v2
When creating K/V secrets, you must use the following keys for each component to ensure it is correctly mapped to ServiceNow's credential fields:
| Key | Description | Supported aliases |
|---|---|---|
| username | The username | access_key |
| password | The password | secret_key, current_password |
| private_key | The private SSH key | |
| passphrase | The passphrase for the private SSH key |
Most ServiceNow credential types will expect at least a username and either a password or a private key. To help surface errors early, the credential resolver validates that a username and password are present for:
- aws
- basic
- jdbc
- jms
- ssh_password
- vmware
- windows
And the credential resolver expects the following types to specify at least a username and a private key:
- api_key
- cfg_chef_credentials
- infoblox
- sn_cfg_ansible
- sn_disco_certmgmt_certificate_ca
- ssh_private_key
Configuring the resolver to use a secret
In the ServiceNow UI:
- Navigate to "Discovery - Credentials" -> New
- Select a type from the list
- Tick "External credential store"
- Fill in a meaningful name
- Set "Credential ID" to the path in Vault where your secret is located, e.g.
for a KV v2 secret engine mounted at "secret", you might have a secret stored
under "ssh":
secret/data/ssh. Check the API docs for your secret engine if you are unsure of the path to use - Optional: Click "Test credential" and select a MID server and a target to test against to test everything is working