Vault Resource

A password vault, which will be referred as Vault from now on, is a software application or service that securely stores and manages passwords and other sensitive information (certificate, secret, keys). Its primary purpose is to help users create, store, and organize strong and unique passwords for various online accounts and services in a secure and convenient manner.

Rulex Platform can use a connection to a Vault to retrieve at runtime the sensitive information needed to perform login/authentication/management operations without locally storing values.

Warning

Due to its sensitive nature, a vault connection is always saved at resource level, since a set of permissions must be defined to properly control user access.

To use a Vault resource in any panel, a vault connection is required, and the user must own the view permission on the resource itself, while modify permission is necessary to see its internal parameters.

Vault connection configuration

Rulex Platform supports the following vault services:

  • Azure KeyVault

  • Centrify (now Delinea Vault Suite)

Configuration parameters differ for any of these connectors as well as configuration interface. Configuration parameters of each connector are provided in next subsections.

Azure KeyVault

This connection allows Rulex Platform to connect to an Azure KeyVault, to retrieve and create secret inside the secure management. This vault is selected through API by passing the value keyvault to the key type.

The parameters needed to fill this connection are:

Name

Description

API param key

Default

Url

The Azure KeyVault URL location.

host

Client ID

The identifier of the service principal application used for the connection.

username

Client Secret

The passphrase of the service principal application used for the connection.

password

Tenant

The tenant identifier of the company subscription.

domain

Centrify

This connection allows Rulex Platform to connect to a Centrify Vault Suite to retrieve and create secret inside the secure management. This vault is selected through API by passing the value centrify to the key type.

The parameters needed to fill this connection are:

Name

Description

API param key

Default

Url

The Azure KeyVault URL location.

host

Client ID

The identifier of the service principal application used for the connection.

username

Client Secret

The passphrase of the service principal application used for the connection.

password

App ID

The identifier of the company/application subscription.

domain

Using a Vault resource

To create a Vault resource, you need to open the Explorer panel (for more information refer to this page) and follow this:

Procedure

  1. Click the Explore Resources icon to open the Explorer panel.

  2. Deactivate the primary resource filter by toggling off on the Primary filter on the upper right side of the Explorer panel to add general resources.

  3. Hover the mouse over the Plus button.

  4. Select Add New Vault and a dedicated window will appear on the screen.

  5. Select the type of Vault you want to connect to (see supported types).

  6. Configure the various connection parameters following this guide. A test connection is performed; if unsuccessful, the error returned is displayed in the bottom side of the window with the possibility to continue anyway.

  7. Insert a unique name for the new resource.

  8. Click Create: the new Vault resource will now be added to the list.

As an example, you’ll find below the most important Vault connection applications:

Vault GOLD Reference

Vault connections are mediated in GOLD through the Vault class:

class vault.vault.Vault(type, url=None, username=None, password=None, tenant=None, onlyinit=False)

Base GOLD class for Vault connection. It supports at the moment: - Azure Key Vault - Centrify

Connections are performed through a C library contained in the field libvault of the class.

Property vault:

pointer C to the vault connection

Property type:

vault type one of keyvault or centrify

Property url:

the url used in the vault connection

Property tenant:

the tenant used in the vault connection

Property user:

the username used in the vault connection

Property password:

the password used in the vault connection

Property libvault:

the field containing the C library used for the connection

Property status:

the status of the connection (used to track down errors during C function evaluation)

authenticate()

Function to perform the authentication

createSecret(secretname, secretvalue)

Function to create a secret

Parameters:

  • secretbname – the name of the secret

  • secretvalue – the value to store in the secret

deleteSecret(secretname)

Function to delete a secret

Parameters:

secretname – the name of the secret

getSecret(secretname, secretversion=None)

Function to get the value of a secret

Parameters:

  • secretname (text) – the name of the secret

  • secretversion (text) – the version of the secret to retrieve, None for latest, defaults to None

Returns:

the secret value

Return type:

any

listSecrets()

Function to list the secrets stored in the vault

Returns:

a vector with secrets names

Return type:

vector of text type