Help CenterGet A DemoTry It Free

Retrieve Secrets

This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

Your organization may entitle you to be able to directly retrieve (or validate/rotate) secrets such as passwords or keys from a secret store through the StrongDM Admin UI. This can be used for a variety of tasks, such as giving you a way to request and receive temporary administrative access to applications that StrongDM doesn't manage, or local admin accounts.

To view secrets that have been assigned to you, in the StrongDM Admin UI, go to the Access > Secrets page, you will see a list of all secrets that you are eligible to interact with directly. Secrets only appear in this list if your permission level in your StrongDM organization allows it or as a result of being entitled (given access) to particular secrets by an administrator created policy.

On the Secrets page a list of secrets that you are able to interact with are displayed. You can see the Name, Type, Secret Engine, Tags and an Actions menu for each.

Property
Description
Example

Name

Name the secret was given to it when created `

TestUserCredentials

Type

Type of secret; corresponds to the type of the secret engine used to manage the secret

Active Directory

Secret Engine

Name of the secret engine that was given to it when created

TestActiveDirectoryEngine

Tags

Tags given the secret by administrators

exampletag

Actions

Actions available for you to perform on this secret; possible actions are Retrieve, Rotate, and/or Validate

N/A

Actions

Rotate

The Rotate action rotates the secret (changing its password to one that is generated based upon the configuration of the secret engine by administrators). The process rotates the secret both in the actual service or resource (such as in Active Directory or a MySQL server), and also rotates the secret housed in the backing secret store. This secret store copy is the one that is available to be retrieved through StrongDM. It is also the credential that can be used for authenticating user traffic to resources through StrongDM. The UI indicates through messages in the bottom right corner whether the rotation was a success or failure.

Retrieve

When Retrieve is selected, a modal window shows the details of the secret. Sensitive fields are masked and can be either directly copied or revealed to view.

Validate

The Validate action uses the secret engine to compare the copy of the credential in the secret store with the copy on the service or resource. A message will indicate whether validation was successful (the values are the same) or not (the values are different). If the validation fails, rotating the secret may resolve the discrepancy.

Interact With Secrets Via the CLI

You can also use the StrongDM CLI to interact with secrets. An authenticated user or service account can use the following commands:

Command
Description

sdm managedsecrets list

List your managed secrets

sdm managedsecrets show

Show details of managed secret without sensitive data

sdm managedsecrets retrieve

Show details of managed secret with sensitive data

sdm managedsecrets rotate

Rotate managed secret

sdm managedsecrets validate

Show whether a managed secret is currently valid

Further Reading

For administrator information on managing secrets, secret engines, or secret stores, see the following sections:

SecretsSecrets ManagementSecret Stores

Last updated

Was this helpful?