Credential resolvers
Credential resolvers define how the credential will be resolved into Vault. The path, the fields and some features are configured for each kind of credential.
Credential resolvers’s configuration are defined on four levels (ordered by priority) :
- Credential ID prefix: defined in the Credential ID field into ServiceNow. By example, with a credential ID
myCustomPrefix/myCred, the prefix will bymyCustomPrefix - Credential type: provided by ServiceNow, eg. windows, ssh_password, snmp, cmdb_ci_db_postgresql_instance
- Resolver type: provided by Vault Connect
- Default failback resolver: the Generic KV Resolver
Properties can be configured for each level according to your needs.
| Property | Description | Default value |
|---|---|---|
vault.secret.<type>.basepath | Path supported by the secret engine | |
vault.secret.<type>.username | Username field into Vault | username |
vault.secret.<type>.password | Password field into Vault | password |
vault.secret.<type>.passphrase | Passphrase field into Vault | passphrase |
vault.secret.<type>.private_key | Private key field into Vault | private_key |
vault.secret.<type>.authprotocol | Auth Protocol (for SNMPv3) field into Vault | authprotocol |
vault.secret.<type>.authkey | Auth Key (for SNMPv3) field into Vault | authkey |
vault.secret.<type>.privprotocol | Private protocol (for SNMPv3) field into Vault | privprotocol |
vault.secret.<type>.privkey | Private Key (for SNMPv3) field into Vault | privkey |
vault.secret.<type>.format.<field> | Formatter for each field value (format) | |
vault.secret.<type>.cache | Activate cache for credential (boolean true or false) | false |
vault.secret.<type>.cacheTTL | Cache TTL (in duration: format) for cache on credentials with no lease | 0 |
vault.secret.<type>.replyDelay | Delay (in duration: format) before replying | 0 |
vault.secret.<type>.revalidate | Activate revalidation (boolean true or false) for each call when cache is activated and no lease is provided by Vault | false |
If the basepath is not defined, the default configuration will be used. If the basepath is defined but empty, no basepath will be configured. All the credential IDs defined into ServiceNow will have to contain the full credential path defined into Vault. For example:
secret/data/myCredmyCustomDatabaseKind/static-creds/myCred
Resolvers
| Resolver | Description | Type |
|---|---|---|
Generic KV Resolver | Default (failback also) resolver for KV secret engine | default |
AD Resolver | Resolver for AD secret engine (creds) | ad |
AD Library Resolver | Resolver for AD secret engine (check-in/check-out) | ad-library |
Database Resolver | Resolver for Database secret engine (creds, static-creds) | database |
Delegate Resolver | Delegate resolution to another resolver based on the prefix in the credential | delegate |
Mixed Delegate Resolver | Delegate resolution to another resolver only for the username/password. Other parameters are handled by the Generic KV Resolver | mixed |