Secret Stores

Allows HCL Launch to retrieve credentials of individual servers from the Vault and authenticates a plug-in step in the deployment process.

Sometimes, we may need to provide user credentials in plug-in steps. For example, start tomcat plug-in step from Apache Tomcat plug-in. We also store passwords as secured properties, for example DB credentials. To make deployments more secure, instead of storing these passwords in DB, now you can store such information in Hashicorp Vault. The HCL Launch secret store enables you to retrieve and use that information during deployment without having stored it in the database.

HCL Launch uses AppRole authetication, a Vault feature, that has a defined set of access. It uses role-id and secure-id as the master authentication mechanism, which allows Launch to get the passwords that an approle has access to. For more information about the Vault Approle, refer to the Vault documentation.

The Vault secret store is different from Launch secret store. Launch secret stores can have multiple secret stores. Each secret store in Launch can be connected to a vault server.

You can define an input property at any of the levels where secure passwords are allowed. For example, at application-level or at resource-level, you can retrieve password from the Vault using the below property: