External secret management

Connect Torq to the key management service (secret store) used by your organization to use externally kept secrets when creating integrations with third-party vendors in Torq. By using an external key management service, you're making sure the sensitive information is fully managed by your company and not kept in Torq. You'll also be able to manage secret rotation and revocation independently from Torq according to your organization's policies.

The external secret stores supported at this stage are:

• HashiCorp Vault
• AWS SSM Parameter Store
• Azure Key Vault

How to use

1. Go to Integrations > Secret Management, select the card of the external secret store you would like to use, and click Add. You can also edit an existing integration by locating it in the integration instances list, clicking the three-dot menu, and selecting Edit.
   
2. Enter a meaningful integration name and the additional information required to create the integration. Don't create the integration before you complete step 3.
   • Create an AWS SSM Parameter Store integration
     Important

     The AWS role associated with the integration must have the GetParameter permission.
   • Select one of the integrations below according to the authentication method you prefer. Note that only key/value secret engine V2 can be used as an external secret store.
     • HashiCorp Vault AppRole
     • HashiCorp Vault
   • Create an Azure Key Vault integration
3. Select the Use this integration as a secret store for my account checkbox and click Add. For example:
   
4. Go back to the Integrations page and select the card of a third-party vendor you want to connect to with Torq. Click Add.
5. Enter the information required to create the integration. Next to each field, you will have a dropdown with the secret stores available to you. Select whether you would like to provide the value from an external secret store or provide the information to be stored in the Torq local secret/parameter store.
   •  Sensitive information can either be sourced from an external secret store or manually entered and stored securely in the Torq local secret store.
     
   • Values for other fields can also be sourced from an external secret store or manually entered and stored in the Torq local parameter store.
     
6. Provide the path to the secret value:
   Important

   Getting the path to the secret value may differ from one secret management solution to the other.
   • Use a secret value stored in HashiCorp Vault
   • Use a secret value stored in AWS SSM Parameter Store
   • Use a secret value stored in Azure Key Vault
7. Click Add to create the third-party vendor integration.

Use a secret value stored in HashiCorp Vault

To use a secret value from HashiCorp Vault in Torq, you have to provide the complete path (engine path+secret path) and the secret key.

• In HashiCorp Vault, go to Secrets to view the paths of the secret engines.
  For example, for the secret below, use secret/test/webapp/api_key to get the secret value in Torq.

• Use the secret value in integration fields that require sensitive information.
  

Use a secret value stored in AWS SSM Parameter Store

To use a secret value from AWS SSM Parameter Store in Torq, provide the region and the parameter name: <region>/<parameter name>

• For example, for the parameter /A/A below, use us-east-1/A/A to get the secret value in Torq.

Use the secret value in integration fields that require sensitive information.

Use a secret value stored in Azure Key Vault

To use a secret value from Azure Key Vault in Torq, provide the name of the secret as listed in Azure Key Vault.

• In Azure Key Vault, go to Secrets to view the names of the available secrets. For example, for the secret below, use my-secret to get the secret value in Torq.