To support the increase in available APIs, Credentials can now be stored centrally and secretly (and encrypted) in the Oomnitza Vault (aka The Credentials Table) based on the vault implementation by Hashicorp. This makes setup of new Custom Connectors and API Workflows simple while preventing unnecessary secret sprawl, and allowing for authentication and execution of APIs that are owned by different groups within an organization.
Accessing the Credentials Table
The Credentials Table is available by navigating to the Setting page and selecting Credentials. Only users whose Role has has been granted read or write access this feature.
Adding a Credential to the Vault
To add a credential to the Vault, navigate to the credentials module and click "+" in the upper right. You'll be prompted to specify a Name and Owner for the integration. We recommend, as a best practice, specifying the system and level of access inn the credential's name, such as "Okta Read-Only API Key".
Next, select "Authorization," select the appropriate type of authorization, and fill out the appropriate details. Information on each supported method of authorization is available below.
The Vault currently supports the following types of authentications:
- Basic Auth - Basic Auth should be used for username and password based authentication.
- API Key - API Key should be used for token-based authentication where you're given a single credential (Sometimes an API Key, API Token, or Static Token).
- AWS Auth - AWS Auth is a special type of authentication that should be used for integrations with Amazon Web Services (AWS), including retrieving AWS Users, and AWS EC2 instances.
- oAuth 2.0 - The oAuth 2.0 authorization framework enables applications to obtain limited access to user accounts on an HTTP service, such as Google, Salesforce and Zoom.
Because the authorization flow for oAuth 2.0 varies between vendors, Oomnitza provides a set of preset systems that we've configured oAuth 2.0 authentication for. If case you have a system that requires oAuth 2.0 and is not available on the list, please reach out to firstname.lastname@example.org, and we will add it into our development pipeline.
Using Vault Credentials
Once the authentications are defined in the Vault, you can then reference them in various different places, including the API block and SaaS User Role block in workflow as well as the new Enhanced Asset Load and Enhanced User Load connectors.
For oAuth 2.0 based credentials, the expiration date is read-only and will be retrieved from the connected system. For all other authentications, the expiration date must be entered manually.
Current Limitations: We are still working on the Vault support within the SaaS Management Integrations and Slack workflow block. Also we do not yet support the Refresh flow for oAuth 2.0 tokens. Those features will get added soon.
Note: Due to security concerns, the Vault is not supported for locally installed connectors, only for the cloud installed connectors. For the locally installed connectors we recommend a local vault implementation as mentioned in the Connector installation documentation. Additionally the vault is not supported for the pre-existing basic connectors, like SCCM and JAMF. Over time we will migrate these Basic connectors to the new enhanced connector framework to then allow you to shift over and start using the Vault for these systems as well.
How the Credentials are Stored
The Oomnitza Vault is integrated as a separate service in each Oomnitza instance. The implementation is based on the Hashicorp Vault, which is the industry standard for encrypted secret storage. Secrets are stored in the database as encrypted strings that can only be accessed by the application server from within the same subnet.
More information on the Hashicorp Vault can be found here: https://www.vaultproject.io/