Secrets Management
Overview
Secrets Management enables organizations to use a third-party secrets manager to store endpoint credentials. Instead of entering credentials directly in SnapLogic accounts and have the SnapLogic Platform encrypt them, the accounts contain only the information necessary to retrieve the secrets. During validation and execution, pipelines obtain the credentials directly from the secrets manager. With Secrets Management, credentials aren't stored in the SnapLogic Platform.
- AWS Secrets Manager
- Azure Key Vault
- CyberArk Conjur (Enterprise or Open Source)
- HashiCorp Vault (Cloud, Enterprise, or Open Source)
Secrets Cache
Pipelines that make many authentication requests for the same secret can take longer to complete when using Secrets Management. For these cases, we offer an optional Secrets Cache. With the Secrets Cache enabled on every request for a secret, the Groundplex node:
- Checks in the cache for the requested secret and:
- If found, returns the secret
- If not found, retrieves the secret from the secrets manager and caches it
An internal setting configures cache expiration to best suit your use case. The cache provides the most benefits when the same secrets are requested frequently and the secret values do not change frequently. To enable the Secrets Cache, contact your CSM.
Limitations
- Secrets Management is available only for pipelines running on self-managed Groundplexes.
- Secrets Management works only for account credentials, such as passwords or tokens. You can't use it for SnapLogic authentication or node server keys.
- Only endpoint accounts with expression-enabled authentication fields support secret retrieval.
Workflow
- To obtain a subscription for SnapLogic Secrets Management, contact your SnapLogic CSM.
- A secrets manager administrator configures the storage for endpoint credentials, creates authentication roles and access permissions, and generates secrets.
- A Groundplex administrator configures nodes to communicate with the secrets manager.
- A pipeline designer or Environment admin configures the endpoint accounts to access the secrets manager.