Chapter 25. Secret Managers
|Azure Key Vault|
The Secret Managers feature allows jobs running in CloverDX Server to retrieve passwords, tokens and other secrets from a third-party secret management service. These services generally provide a secure storage for passwords and other types of secrets and allow setting up expiration dates and rotation policies.
As of 5.13, only Azure Key Vault is supported.
The usage of secrets is similar to graph parameters. You first configure the connection via Configuration > Secret Managers > New Secret Manager.
Figure 25.1. Secret Manager Configuration
Then you use a placeholder in your job file. At runtime, the placeholder is replaced with the value of the secret.
The placeholder has the following format:
<secretManagerName>is the Name of the secret manager assigned when configuring the connection, as shown in the picture above. It must be unique.
<secretName>is the name of the secret, as configured in the third-party service.
Unlimited access to Secret Managers permission is required for adding, editing or removing secret managers.
When creating a new secret manager, you need to assign it to the user groups that will be able to use it in jobs.
Azure Key Vault
Azure Key Vault is a secret management service available in the Microsoft Azure cloud. Two authentication schemes are supported for Azure Key Vault:
- Implicit authentication – uses credentials from the system running CloverDX Server. It can use environment variables, managed identity when deployed to a host in Azure cloud, or saved credentials from the Azure CLI.
- Client Secret authentication – uses Tenant ID, Client ID (also called Application ID) and Client Secret.
Both these schemes also require a Vault URI in the form
The URI can be found in the Overview section of the selected Key Vault.
Figure 25.2. Azure Key Vault Overview
For performance reasons, secrets retrieved from a secret manager are stored in a cache. If the secret has an expiration date set, it will be automatically refreshed when it expires.
But if the value of a secret changes before its expiration date, for example when a password is compromised, it may be necessary to manually clear the cache, so that the new value is retrieved.
You can clear the cache using the Synchronize Secret Manager action from the context menu.
Figure 25.3. Secret Manager Synchronization