Version

    Chapter 25. Secret Managers

    Usage
    Access Control
    Azure Key Vault
    Secret Revocation

    The Secret Managers feature allows jobs running in CloverDX Server to retrieve passwords, tokens and other secrets from a third-party secret management service. These services generally provide a secure storage for passwords and other types of secrets and allow setting up expiration dates and rotation policies.

    As of 5.13, only Azure Key Vault is supported.

    Usage

    The usage of secrets is similar to graph parameters. You first configure the connection via Configuration > Secret Managers > New Secret Manager.

    Secret Manager Configuration

    Figure 25.1. Secret Manager Configuration


    Then you use a placeholder in your job file. At runtime, the placeholder is replaced with the value of the secret.

    The placeholder has the following format:

    ${secret:<secretManagerName>/<secretName>}

    • <secretManagerName> is the Name of the secret manager assigned when configuring the connection, as shown in the picture above. It must be unique.
    • <secretName> is the name of the secret, as configured in the third-party service.

    Example:

    ${secret:azure/oracle-password}

    Access Control

    Unlimited access to Secret Managers permission is required for adding, editing or removing secret managers.

    When creating a new secret manager, you need to assign it to the user groups that will be able to use it in jobs.

    Azure Key Vault

    Azure Key Vault is a secret management service available in the Microsoft Azure cloud. Two authentication schemes are supported for Azure Key Vault:

    • Implicit authentication – uses credentials from the system running CloverDX Server. It can use environment variables, managed identity when deployed to a host in Azure cloud, or saved credentials from the Azure CLI.
    • Client Secret authentication – uses Tenant ID, Client ID (also called Application ID) and Client Secret.

    Both these schemes also require a Vault URI in the form https://<your-unique-keyvault-name>.vault.azure.net/. The URI can be found in the Overview section of the selected Key Vault.

    Azure Key Vault Overview

    Figure 25.2. Azure Key Vault Overview


    Secret Revocation

    For performance reasons, secrets retrieved from a secret manager are stored in a cache. If the secret has an expiration date set, it will be automatically refreshed when it expires.

    But if the value of a secret changes before its expiration date, for example when a password is compromised, it may be necessary to manually clear the cache, so that the new value is retrieved.

    You can clear the cache using the Synchronize Secret Manager action from the context menu.

    Secret Manager Synchronization

    Figure 25.3. Secret Manager Synchronization