To support the increase in available APIs, credentials can now be stored centrally and secretly (and encrypted) in the Oomnitza vault based on the vault implementation by Hashicorp. This makes the setup of new custom integrations and API workflows easier while preventing unnecessary secret sprawl, and allowing for authentication and execution of APIs that are owned by different groups within an organization.
Accessing the credentials table
The credentials table can be accessed by going to Configuration>Security>Credentials. Only users whose role has has been granted read or write access can access this feature.
Adding a credential to the vault
To add a credential to the vault, in Credentials click + in the upper right. You'll be prompted to specify a Name and Owner for the integration. We recommend specifying the system and level of access in the credential's name, such as Okta Read-Only API Key.
Next, in the Authorization tab select the appropriate type of authorization, and fill out the appropriate details. Information on each supported method of authentication is available below.
The vault currently supports the following types of authentications:
- Basic Auth - Basic Auth should be used for username and password based authentication.
- API Key - API Key should be used for token-based authentication where you're given a single credential (sometimes an API Key, API Token, or Static Token).
- AWS Auth - AWS Auth is a special type of authentication that should be used for integrations with Amazon Web Services (AWS), including retrieving AWS Users, and AWS EC2 instances.
- OAuth 2.0 - The OAuth 2.0 authorization framework enables applications to obtain limited access to user accounts on a HTTP service, such as Google, Salesforce and Zoom.
Because the authorization flow for OAuth 2.0 varies between vendors, Oomnitza provides a set of preset systems that we've configured OAuth 2.0 authentication for. If you have a system that requires OAuth 2.0 and is not available on the list, please reach out to firstname.lastname@example.org, and we will add it to our development pipeline.
Using vault credentials
Once the authentications are defined in the vault, you can then reference them in various places, including the API block and SaaS User Role block in workflow as well as the new Extended Asset Load and Extended User Load integrations.
For OAuth 2.0 based credentials, the expiration date is read-only and will be retrieved from the connected system. For all other authentications, the expiration date must be entered manually.
Due to security concerns, the vault is not supported for locally installed connectors, only for the cloud installed connectors. For the locally installed connectors we recommend a local vault implementation as mentioned in the connector installation documentation. We have begun the process of migrating these local basic connectors to the new extended integration framework to allow you to shift over and start using the vault for these systems as well. For further information, refer to our list of Vendor integrations.
How the Credentials are Stored
The Oomnitza vault is integrated as a separate service in each Oomnitza instance. The implementation is based on the Hashicorp Vault, which is the industry standard for encrypted secret storage. Secrets are stored in the database as encrypted strings that can only be accessed by the application server from within the same subnet.
More information on the Hashicorp Vault can be found here: https://www.vaultproject.io/