# Secret Stores

{% hint style="info" %}
This page discusses the available options for secret stores in StrongDM and how to configure them. For information on managing secrets, rotating them, or entitling them to users, see the [StrongDM Vault](https://docs.strongdm.com/admin/secrets) page, and for information on configuring resources to point at a secret store for credentials, see the relevant [resource guide](https://docs.strongdm.com/admin/resources).
{% endhint %}

### What are Secret Stores?

When managing your resources in StrongDM, you can store credentials with StrongDM as you configure each resource. Alternatively, you can use secret stores. Secret store integrations provide an option to store resource credentials in a centralized location. There are a variety of supported secret stores, including StrongDM Vault, StrongDM's secret store, and several third-party services. If your organization already manages and rotates credentials with a supported secret store provider, nothing about that workflow has to change.

### Why Secret Stores?

Secret stores enable organizations to easily manage and automate the storage and rotation of credentials using third-party secret stores.

Some organizations' security policies forbid the storage of credentials outside of a designated secret store provider, often as part of a zero trust initiative. You can take advantage of these secret store integrations to adhere to that requirement while using StrongDM.

If you choose to store credentials for your resources in third-party secret stores, your credentials are not recorded on our servers. Your gateway servers request credentials directly from the secret stores to enable authentication.

### How do Secret Stores work?

To set up integrations with third-party secret stores:

1. Configure a secret store provider for use with StrongDM.
2. Set up relay servers to be able to authenticate with the secret store.
3. Each time you set up a new resource, give StrongDM a path to the credential it needs in the store.

When a client connects to a resource, the relay authenticates to your secret store provider, and fetches credentials for the resource. Those credentials never leave your relay server, and are never stored or recorded by StrongDM.

{% hint style="info" %}
Once you set up a resource with a specific secret store provider, you cannot assign a different one to that resource later. However, you can recreate the resource, or create an additional instance of the resource, as necessary.
{% endhint %}

#### Updating credentials

When you add, change, or rotate credentials stored with a third-party secrets storage tool, StrongDM neither notices nor cares. However, if you move or remove a credential, you should update its path where you used it in credential configuration in StrongDM to avoid disrupting service.

StrongDM's secret engines can also be used to manage secrets that are in your secret stores. StrongDM provides a key-value secret engine for simple management of credentials within a secret store, and also specialized secret engines to keep the actual credentials on particular services and resources rotated in tandem with the copies in the backing secret store. A secret store may have a variety of credentials stored in it, so there may be multiple StrongDM secret engines that use it.

To learn more about secrets management through StrongDM (rather than a third-party service) see the [Secrets Management](https://github.com/strongdm/docs/blob/main/gitbook-content/admin/access/secrets-management.md) section.

#### Credential storage

Credentials for resources accessed through StrongDM can be stored in your secret store. Credentials that are used to access your secret stores provider are kept on the relays you host. No credentials, either for your secret store provider or for your individual resources, are ever transmitted to StrongDM.

![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-fc975b5e2bc9ecec2e3d4149ae2c238cf061be11%2Fsecretstores-aws.png?alt=media)

**Allowing credential storage in StrongDM**

You have the option to exclusively use a third-party secret store(s) and globally disallow saving resource credentials directly with StrongDM.

Conversely, you also have the option to allow credentials to be stored directly with StrongDM in your resource configurations as you set them up and have a mixed system. In this case, some resources would use third-party secret stores, while others would have their credentials stored in resource configurations. You can even have two versions of the same resource with different credentials, stored in different places, with different access levels.

### Authentication with Secret Stores

Your relay needs to be able to authenticate with the secret stores provider. If the secret store is down or inaccessible, that resource will be unavailable as well. The diagnostics panel for the resource indicates whether credentials are available, and details any errors that may occur during the process.

{% hint style="info" %}
If a resource goes offline due to the inability of your gateway(s) to locate proper credentials for it, existing connections to that resource that have already been authenticated will persist.
{% endhint %}

StrongDM currently supports the following secret store services:

* [strongdm-vault](https://docs.strongdm.com/admin/access/secret-stores/strongdm-vault "mention")
* [aws-secrets-manager](https://docs.strongdm.com/admin/access/secret-stores/aws-secrets-manager "mention")
* [azure-key-vault](https://docs.strongdm.com/admin/access/secret-stores/azure-key-vault "mention")
* [cyberark-conjur](https://docs.strongdm.com/admin/access/secret-stores/cyberark-conjur "mention")
* [cyberark-pam](https://docs.strongdm.com/admin/access/secret-stores/cyberark-pam "mention")
* [delinea-secret-server](https://docs.strongdm.com/admin/access/secret-stores/delinea-secret-server "mention")
* [gcp-secret-manager](https://docs.strongdm.com/admin/access/secret-stores/gcp-secret-manager "mention")
* [hashicorp-vault](https://docs.strongdm.com/admin/access/secret-stores/hashicorp-vault "mention")

#### AWS Secrets Manager

AWS Secrets Manager is managed and hosted on AWS. StrongDM supports two authentication modes with AWS Secrets Manager: authentication with an AWS Access Key ID and Access Key, saved on the relay; and authorizing the relay to access Secrets Manager using AWS IAM.

* AWS Documentation: [Use IAM Policies for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html)
* AWS Tutorial: [Create and Retrieve a Secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html)
* AWS Article: [Authentication and Access Control for AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html).
* You will need to store the `AWS_ACCESS_KEY_ID` and `AWS_ACCESS_KEY` for a key that has access to the Secrets Manager as environment variables on the relay server.
* [Integrate AWS Secrets Manager with StrongDM](https://docs.strongdm.com/admin/access/secret-stores/aws-secrets-manager)

#### Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets such as API keys, passwords, certificates, and cryptographic keys.

* [Azure Key Vault Documentation](https://learn.microsoft.com/en-us/azure/key-vault/)
* [Integrate Azure Key Vault with StrongDM](https://docs.strongdm.com/admin/access/secret-stores/azure-key-vault)

#### CyberArk Conjur

{% hint style="info" %}
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us).
{% endhint %}

CyberArk Conjur is a secrets store platform that provides role based access control for secrets such as passwords and SSH keys.

* [CyberArk Conjur Quick Start](https://www.conjur.org/get-started/quick-start/oss-environment/)
* [Integrate CyberArk Conjur with StrongDM](https://docs.strongdm.com/admin/access/secret-stores/cyberark-conjur)

#### CyberArk PAM

{% hint style="info" %}
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us).
{% endhint %}

CyberArk Privileged Access Manager (PAM) accounts facilitate access to privileged accounts on your resources and can store basic account properties as well as secret information such as passwords or keys.

* [CyberArk PAM Documentation](https://docs.cyberark.com/pam-self-hosted/latest/en/Content/Resources/_TopNav/cc_Home.htm)
* [Integrate CyberArk PAM with StrongDM](https://docs.strongdm.com/admin/access/secret-stores/cyberark-pam)

#### Delinea Secret Server

{% hint style="info" %}
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us).
{% endhint %}

Delinea Secret Server is a service for securely storing and accessing secrets, such as API keys, passwords, certificates, and cryptographic keys.

* [Delinea Secret Server Documentation](https://docs.delinea.com/online-help/products/secret-server/current)
* [Integrate Delinea Secret Server with StrongDM](https://docs.strongdm.com/admin/access/secret-stores/delinea-secret-server)

#### GCP Secret Manager

GCP Secret Manager is a secret store provider which can be administrated from Google's developer admin panel. It accepts plaintext or JSON secrets.

* Quickstart: [Create and Access Secrets Using Secret Manager](https://cloud.google.com/secret-manager/docs/quickstart)
* Tutorial: [Authenticating as a Service Account](https://cloud.google.com/docs/authentication/production)
* [Integrate GCP Secret Manager with StrongDM](https://docs.strongdm.com/admin/access/secret-stores/gcp-secret-manager)

#### HashiCorp Vault

Vault is a secret store tool which is self-hosted on your own infrastructure. StrongDM supports authenticating to HashiCorp Vault instances with either a TLS Certificate or Token Authentication.

* Tutorial: [TLS Certificate Authentication](https://www.vaultproject.io/docs/auth/cert)
* Tutorial: [Token Authentication](https://www.vaultproject.io/docs/auth/token)
* [Integrate HashiCorp Vault with StrongDM](https://docs.strongdm.com/admin/access/secret-stores/hashicorp-vault)

### Putting it together

Without secret stores:

1. A user attempts to access a resource and their request is routed to a gateway.
2. The gateway queries StrongDM, verifying that the user's connection is authorized.
3. StrongDM sends back encrypted credentials to the gateway to authenticate with the resource.
4. The gateway reaches out to the resource and authenticates.
5. A secure tunnel is established from client to resource.

With secret stores, this process is similar, with a key difference. The gateway still reaches out to StrongDM for authorization, but is *not* given any credentials for the resource (StrongDM does not have them). Instead, the gateway then reaches out to the assigned secret store provider to collect the credentials.

### Secret Store Integration Configuration

#### Create a secret store

To integrate with a new secret store:

1. In the Admin UI, go to **Settings** > **Secrets Management** and to the **Secret Stores** tab.
2. Click the **add secret store** button.
3. On the **Add Secret Store** form:
   1. Enter a **Display Name**.
   2. Select the **Secret Store Type**.
   3. Fill in any remaining fields shown for your type. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-fc975b5e2bc9ecec2e3d4149ae2c238cf061be11%2Fsecretstores-aws.png?alt=media)

#### Connection Details

Credentials for authenticating to the secret store reside on your Gateway/Relay servers. To learn how to integrate a specific secret store provider with StrongDM, read that specific configuration guide.

Once you've configured gateway servers to authenticate to the secret store, you can check its health on the **Diagnostics** tab.

#### Other Settings

In **Settings** > **Security**, you can set **Allow credentials to be stored in StrongDM** to **No** in order to require that all new resources use secret store integrations instead. Note that disabling this option does not affect existing resources (which will continue to function as they always have), only the creation of new ones.

### Configure a Resource to Use a Secret Store

Once your secret store integration is configured and you have set up authentication on your relay servers, you need to create resources that read their credentials from the secret store.

1. In the Admin UI, [add a new resource](https://docs.strongdm.com/admin/resources), such as a Server or Datasource.
2. Fill in the fields as normal, but for the **Secret Store** field, choose your secret store.
3. Fill in the path to the username and password (or whatever credential the resource requires). These paths are the path within your secret store to the secret in question. Those paths may look something like `/path/to/mycredentials/username` or `/path/to/mycredentials/password`. If you’re using one secret with multiple key/value entries for specific credentials, the path may instead take the format of `/path/to/mycredentials?key=username`. This format may vary between secret store providers and will be indicated in the placeholder text for each field. If you are managing the credentials with a StrongDM Vault secret engine, the path of the secret engine (which can be seen in the secret engine's settings) will also be included, in the format `/secretenginepath/path/to/mycredentials?key=db_username`.

{% hint style="info" %}
The healthcheck for the new resource depends on the credentials being loaded from the secret store. If they are not, it will not go green.
{% endhint %}

4. You're done. The resource is ready to be used within StrongDM.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/access/secret-stores.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.