Storing the Application Credentials to Hashicorp Vault and Retrieving when needed

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

8.4P2

We are exploring the possibility of integrating SailPoint IdentityIQ (IIQ) with HashiCorp Vault to eliminate the manual process of updating application passwords. We would like to understand whether this integration would involve retrieving passwords or secrets from Vault, and which approach would be most appropriate. Additionally, we want to confirm whether it is possible to reuse the same password or secret for a defined period of time before requesting a new one, rather than retrieving fresh credentials every time an application process runs. This would help reduce unnecessary credential rotation while maintaining security.

2

I’ve done this! It requires that you create a CredentialManager implementation, which isn’t too hard. I’d be happy to share tips, but I’ll need to check whether I can open-source the entire library.

3

Hey Neil,

I was allowed to open-source this, and you can find it here: GitHub - instrumental-id/iiq-vault-credential-manager: Vault Credential Manager for retrieving IIQ Application credentials from HCP Vault · GitHub

If you have any questions, let me know!

We are actively using a very similar CredentialManager at a customer and it works great.

Devin

4

@drosenbauer Thanks for sharing this.

5
  • Instead of fetching credentials every time, we can use Vault dynamic secrets with the TTL
  • Cache the credential during task execution (in-memory) to avoid repeated calls.
  • Refresh only when the TTL expires, not on every run
  • Use token-based access to keep it secure
  • Also need fallback handling in case Vault is not reachable

This way we can reduce unnecessary calls and still maintain security.

6

@jayantkumar Mostly IIQ secrets are static, how will make it TTL instead of long live? Also,how can we integrate this with IIQ’s native APIs to not get it from DB and get it from VaultSecret?