Secret Stores

Allows you to retrieve credentials of individual servers from the Vault and authenticates a plug-in step in the deployment process.

Sometimes, we may need to provide user credentials in plug-in steps. For example, start tomcat plug-in step from Apache Tomcat plug-in. We also store passwords as secured properties, for example DB credentials. To make deployments more secure, instead of storing these passwords in DB, now you can store such information in Hashicorp Vault. The HCL DevOps Deploy (Deploy) secret store enables you to retrieve and use that information during deployment without having stored it in the database.

Deploy uses AppRole authetication, a Vault feature, that has a defined set of access. It uses role-id and secure-id as the master authentication mechanism, which allows Deploy to get the passwords that an approle has access to. For more information about the Vault Approle, refer to the Vault documentation.

The Vault secret store is different from Deploy secret store. Deploy secret stores can have multiple secret stores. Each secret store in Deploy can be connected to a vault server.

You can define an input property at any of the levels where secure passwords are allowed. For example, at application-level or at resource-level, you can retrieve password from the Vault using the below property: