Connections Management Vaults
Connections Management Vaults
Learn how to retrieve connection details from our Kyndryl internal vault.
Internal vault
In this scenario, connection details such as access keys, tokens, secret keys, and similar information are stored in our Kyndryl internal vault using MongoDB.
External vault
For customers with their own vault configuration, the connection details are stored in the customer's vault. However, the connection metadata is still retained in the Kyndryl internal vault. In these cases, all connections will be routed through the external vault, with Kyndryl having read-only access. A reference ID is generated and stored to connect to those credentials in the external vault. Therefore, all connections will go through the external vault, and Kyndryl will have secure, read-only access to the stored credentials, ensuring safety.
Pre-requisites:
- The HashiCorp Vault instance must be accessible to Bridge Connections Manager in the DCP environment.
- Vault is configured with the appropriate authentication methods, such as App Role and Policies. Connection-Admin and Platform Viewer access must be granted to the Connection Manager.
- The HashiCorp role ID and secret are currently active.
- Additionally, the tenant ID of the account must be configured with the external vault.
- Configure Connection-Manager to use the External Vault.
Configure Connection-Manager to Use External Vault
This configuration is specific to an account, and it is required since the vault-adapter is deployed in the same cluster as the connection-manager service.
API:
PUT api/security/v1/vaults/config Parameter | Type | Required | Description |
name | string | Yes | Name identifier for the external vault configuration |
client_url | string | Yes | The URL endpoint for the external vault adapter service.Make sure the client _url is set to to <DASH_BASE_HOST>/api/security/v4/internal/externalvault-adapter. |
read_only | boolean | No | Whether the vault connection is read-only (default: true) |
is_default | boolean | No | Set this vault as the default credential provider |
is_external | boolean | Yes | Indicates this is an external vault configuration |
id | string | No | Unique identifier for the vault configuration |
Configure External-Vault-Adapter for Hashi Corp Vault for the account
Ensure the AppRole has permission to read secrets from the required paths. Make sure the roleId and secretId are generated by your HashiCorp Vault instance with appropriate policies. The URL must include the protocol
API:
PUT /api/security/v4/internal/externalvault-adapter/configs Parameter | Type | Required | Description |
id | string | Yes | Tenant identifier (typically the account/tenant ID) |
type | string | Yes | Vault type identifier (must be “hashicorp”) |
config.credentials.roleId | string | Yes | Hashi Corp Vault AppRole role ID |
config.credentials.secretId | string | Yes | Hashi Corp Vault AppRolesecret ID |
config.configuration.namespace | string | No | Vault namespace (for Vault Enterprise) |
config.configuration.url | string | Yes | Hashi Corp Vault server address |
read_only | boolean | No | Whether the adapter should operate in read-only mode (default: true) |
Connection Manager APIs
When using external vault configuration, the credentials array remains empty and credRefId is mandatory. - The reference ID must always be a Base64-encoded string, as the /character cannot be parsed in the API path. The reference ID will be decoded while accessing the vault.
API:
POST /api/security/v3/connections Parameter | Type | Required | Description |
credRefId | string | Yes | Reference id of the secret in vault. base64 encoded string |
displayName | string | Yes | Display name for the connection |
connectionCategory | string | Yes | Category of connection (e.g., “cloudProvider”) |
brokers | array | Yes | List of broker services that can access this connection |
provider.type | string | Yes | Provider type (e.g., “aws”,“azure”, “gcp”) |
provider.credentials | array | Yes | Credentials array (empty when using external vault) |
provider.configData | object | Yes | Provider-specific configuration data |
provider.configData.accountNumber | string | Yes | Cloud provider account number |
provider.configData.additionalInfo | string | No | Additional configuration information |
Retrieve Credentials in clear text
API:
GET /api/security/v3/internal/connections/<connectionID Secrets in Hashi Corp vault
The secret stored at the Hashi Corp vault must match the provider metadata of the connection manager.
This is the standard request format for Hashi Corp vault
{ "data": {}, "options": {}, "version": 0 }
GCP provider secrets must be stored in the format below.
{ "data":{ "serviceKey":"begin_ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAibWNtcC1kZXYtZGlzCIxMDM1NDIzNzU2ODI2NDc4Njg1NjMiLAogICJhdXRoX3VyaeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2NkLXNlcnZpY2UtYWNjb3VudCU0MG1jbXAtZGV2LWRpc2NvdmVyeS5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIKfQo_end" }, "options": {}, "version": 0 }
AWS provider secrets must be stored in the format below.
{ "data": { "accessKey": "<access_key>", "secretKey": "<secret_key>" }, "options": {}, "version": 0
Do you have two minutes for a quick survey?
Take Survey
