Configure endpoint accounts to use secrets

Configure endpoint accounts to use secrets.

To retrieve secrets stored in a secrets manager, such as an access token, a username, or a password, that field in the endpoint account must be expression-enabled. Expression-enabled fields have an expression button .

To use managed identity-based authentication mode in the Snaps, set up the SnapLogic account using an expression that calls secrets.read with the alias name for the secret object.

The request Authorization header contains the secret. Because REST Snaps can preview a complete request, you might want to limit access to resources that use secrets.

  • A subscription to SnapLogic Secrets Management
  • A secrets manager configured with storage, roles, permissions, and secrets
  • A Groundplex configured to communicate with the secrets manager
To configure an endpoint account with expression-enabled credential fields to use secrets:
  1. Create a new endpoint account or open an account to update.
  2. For the credential field, such as password or token, click the expression button .
  3. Enter an expression that invokes secrets.read using values that correspond with your secrets management configuration.
    • AWS Secrets Manager
    • Azure Key Vault
    • CyberArk Conjur
    • HashiCorp Vault
     secrets.read("alias", "path/to/secret").name-of-secret
    where
    alias
    Authentication type Alias
    Role-based authentication with an EC2 instance DEFAULT_AWS
    Key-based authentication The name of the configuration defined in the secrets-config.json file.
    path/to/secret
    The path to the secret to retrieve.
    name-of-secret
    The key of the secret to retrieve.
     secrets.read("alias", "name-of-secret")
    where
    alias
    The name of the configuration defined in the secrets-config.json file.
    name-of-secret
    The key of the secret to retrieve.
     secrets.read("alias", "path/to/secret")['path/to/secret']
    where
    alias
    The name of the configuration defined in the secrets-config.json file.
    path/to/secret
    The path to the secret to retrieve.
     secrets.read("alias", "path/to/engine/path/to/secret").name-of-secret
    where
    alias
    The name of the configuration defined in the secrets-config.json file.
    path/to/engine
    The path to the secrets engine to use.
    path/to/secret
    The path to the secret to retrieve.
    name-of-secret
    The key of the secret to retrieve.
    Note: If you use version 2 of the HashiCorp KV Secrets Engine, enter path/to/engine and path/to/secret as separate parameters. 
     secrets.read("alias", "path/to/engine", "path/to/secret").name-of-secret
  4. Click Validate, if applicable, to verify the connection details.
  5. Click Apply to save the account.

The S3 Dynamic Account has several expression-enabled fields, including Access-key ID and Secret Key. You can store the values for these fields in AWS Secrets Manager with role-based authentication.

  1. Create the secrets in AWS Secrets Manager:
    • myaccesskey
    • mysecretkey
  2. Create or modify an S3 Dynamic Account.
    • In the Access-key ID field, click the expression button () and enter secrets.read("DEFAULT_AWS", "").myaccesskey.
    • In the Secret Key field, click the expression button () and enter secrets.read("DEFAULT_AWS", "").mysecretkey.