Storing the Application Credentials to Hashicorp Vault and retrieving it during App aggregation

Which IIQ version are you inquiring about?

Version 8.X

Please share any images or screenshots, if relevant.

Share all details related to your problem, including any error messages you may have received.

There is a requirement to move all Application credentials from IIQ to store in Hashicorp Vault and retrieve it during the application aggregation.
I checked if there is any predefined rules associated with the application from where I can connect to Hashicorp and retrieve the stored credentials just before the aggregation, but didn’t find any.

Please advise if any recommended solution.

Do you have any time period for which the new credentials will be valid. If it is more than time taken for all application aggregations, one probable solution will be that you can create a rule runner task to retrieve credentials from Hashicorp Vault for each application and update it on the applications. Configure a sequential task to run this rule runner task first and have other aggregations run after that. In our case the credentials were valid for few hours (12 - 24 hours) and aggregations took less than 3 hours.

I never tried but you can explore using Configuration object and piggy back something similar to PAM Credential recycling using Hashicorp SDKs.

There are few ways how you can do that but none of them is simple actualy.

  1. The easiest one - I would create a rule runner with rule which can get password to all (or single) applications eg. via rest api and store them in the application xml, and one rule runner to remove this value (or change to something random). Then I would create a sequence launcher for aggregation to first execute rule runner which gets and stores passwords, than aggregation and than “cleaner”. This one is definitively simplest one but also least elegant.
  2. The harder one - create eg. web service application which can aggregate all passwords from the vault and in customizatoin rule of this application instead of displaying them as accounts or entitlements just store them in the application xml. As a result - before aggregating any application you just need to aggregate your vault application to refresh passwords.
  3. The hardest one - create your own task executor which will replace standard aggregation task executor and would execute “get password” webservice connection to the vault before calling aggregation. For sure most elegant solution but also the hardest to implement.

It’s not closed list of solutions - most probably there are few more options but this 3 just came into my mind.

1 Like

Thank you Kamil.

We already implemented the first option, we were looking for a more “elegant solution”. :slight_smile:

We’ll try to explore this third option.

Thanks again.