- 22 Jan 2024
- 3 Minutes to read
- DarkLight
External secret management
- Updated on 22 Jan 2024
- 3 Minutes to read
- DarkLight
Connect Torq to the key management service (secret store) used by your organization to use externally kept secrets when creating integrations with third-party vendors in Torq. By using an external key management service, you're making sure the sensitive information is fully managed by your company and not kept in Torq. You'll also be able to manage secret rotation and revocation independently from Torq according to your organization's policies.
The external secret stores supported at this stage are:
- HashiCorp Vault
- AWS SSM Parameter Store
- Azure Key Vault
How to use
- Go to Integrations > Secret Management, select the card of the external secret store you would like to use, and click Add. You can also edit an existing integration by locating it in the integration instances list, clicking the three-dot menu, and selecting Edit.
- Enter a meaningful integration name and the additional information required to create the integration. Don't create the integration before you complete step 3.
- Create an AWS SSM Parameter Store integrationImportantThe AWS role associated with the integration must have the GetParameter permission.
- Select one of the integrations below according to the authentication method you prefer. Note that only key/value secret engine V2 can be used as an external secret store.
- Create an Azure Key Vault integration
- Create an AWS SSM Parameter Store integration
- Select the Use this integration as a secret store for my account checkbox and click Add. For example:
- Go back to the Integrations page and select the card of a third-party vendor you want to connect to with Torq. Click Add.
- Enter the information required to create the integration. Next to each field, you will have a dropdown with the secret stores available to you. Select whether you would like to provide the value from an external secret store or provide the information to be stored in the Torq local secret/parameter store.
- Sensitive information can either be sourced from an external secret store or manually entered and stored securely in the Torq local secret store.
- Values for other fields can also be sourced from an external secret store or manually entered and stored in the Torq local parameter store.
- Sensitive information can either be sourced from an external secret store or manually entered and stored securely in the Torq local secret store.
- Provide the path to the secret value:ImportantGetting the path to the secret value may differ from one secret management solution to the other.
- Click Add to create the third-party vendor integration.
Use a secret value stored in HashiCorp Vault
To use a secret value from HashiCorp Vault in Torq, you have to provide the complete path (engine path+secret path) and the secret key.
- In HashiCorp Vault, go to Secrets to view the paths of the secret engines.
For example, for the secret below, usesecret/test/webapp/api_key
to get the secret value in Torq.
- Use the secret value in integration fields that require sensitive information.
Use a secret value stored in AWS SSM Parameter Store
To use a secret value from AWS SSM Parameter Store in Torq, provide the region and the parameter name: <region>/<parameter name>
- For example, for the parameter
/A/A
below, useus-east-1/A/A
to get the secret value in Torq.
Use the secret value in integration fields that require sensitive information.
Use a secret value stored in Azure Key Vault
To use a secret value from Azure Key Vault in Torq, provide the name of the secret as listed in Azure Key Vault.
- In Azure Key Vault, go to Secrets to view the names of the available secrets. For example, for the secret below, use
my-secret
to get the secret value in Torq.