FlexDeploy integrates with external credential stores like HashiCorp Vault, CyberArk AAM, Azure Key Vault, and Thycotic Secret Server, and also has API to integrate with other credential stores. This integration is focused on retrieval of secure credential text during workflow executions. Credentials (Password, Passphrase, etc.) for Endpoints, Project, Environment Instance, Integration Instances can be configured for retrieval from the external credential store. Note that such credentials retrieved from external credential stores are not stored, cached, or printed in FlexDeploy, which allows you to update credentials as per your requirements without changing anything in FlexDeploy. At the same time, FlexDeploy also supports a Local credential store where credentials are stored in an encrypted format in the FlexDeploy database. FlexDeploy Local credential store uses AES 128 or AES 256 bit encryption. See Java Cryptography Extension (JCE) unlimited strength policy files to use AES 256 bit encryption.
Note that FlexDeploy only allows retrieval of credentials from the external credential store, i.e. you will need to manage credentials using tools provided by the credential store. You can always manage Local credentials using UI or REST API.
Here are features provided by FlexDeploy in this category
Out of box integration with HashiCorp Vault, CyberArk AAM (certificate authentication and agent based), Azure Key Vault, and Thycotic Secret Server
Local credential store (useful for customers that do not have an external credential store)
Ability to integrate with other credential stores
Credentials can be managed from a central location or from the individual place where the credential is utilized.
Terminology
FlexDeploy Term | Description |
---|---|
Credential Store Provider | Provider encapsulates logic required to retrieve credential from specific type of store. There are few providers available out of box, but you can define custom implementations using either Java class or Groovy script. Provider will define properties necessary to connect to credential store as well inputs necessary for each credential. |
Credential Store | Credential store represents instance of specific type of credential store provider. You can have many such credential stores in FlexDeploy. For example, you can have store for Production credentials and another for Non Production credentials. Local credential store is available out of box. |
Credential | Represent each individual credential with inputs necessary to retrieve it from credential store. For local credential store, you will just provide secret text, but for HashiCorp Vault, you will provide path and key name to retrieve that credential from external credential store. |
Credential Name | Name to uniquely identify each credential. This must be unique across all credential stores. For example, if you are using same password for OS user oracle in Development environment, then you can use DEV OS Oracle as name for credential. |
Credential Scope | Scope for credential. This serves as filtering mechanism. Various scopes are Endpoint, Project, Instance, Environment Instance. This means that endpoint password credential can not be used for Git instance password. |
Getting Started
If you want to integrate with HashiCorp Vault, CyberArk AAM, Azure Key Vault, or Thycotic Secret Server, you must first create a Credential Store definition in FlexDeploy, then you can create individual credentials as necessary.
If you want to integrate with other credential stores, then you need to first create new Credential Store Provider, then create Credential Store definition, then you can create individual credentials as necessary.
If you want to just use the Local credential store, then you can just create credentials as necessary for the Local credential store.
Let's review each topic in detail now.