Connecting to Vault Variables

NEW FOR VERSION 4.6 OF RULEX

A vault is a password manager, usually a cloud service, which allows you to securely store and access reserved information.

The information contained in a vault is mostly passwords and login credentials, but may also include certificates, API keys, or anything you need to restrict access to.

Single items of information are referred to as secrets.

Rulex vault support

Rulex allows you to reference reserved information saved externally in vaults to avoid needing to save this sensitive data in workflows, thus increasing workflow security.

Currently Rulex supports Azure Key Vault and Centrify.

If you need set up information, check out their online documentation:

Procedure - setting up vault connections in Rulex

Vault connections are created at working database level and can used in all the workflows which use the same database.

Click on the key icon in the toolbar to open the Vault preferences window.
Click on the Vault options tab.
Select the type of vault system you want to use in the left side bar.
Enter the vault options, as explained in the table below.
Click Test connection, to ensure the vault connection has been correctly configured.
Click Save connection.
Click Save.

Option	Description

Option	Description
Connection name	Enter a unique name for the connection in order to save it. This name will then be displayed in the Vault connection drop-down list, where you can select the required connection from all those you have previously created. NB The connection name must contain uppercase or lowercase letters and/or underscore “_”. No other symbols or spaces can be used.
Vault URL	The URL of the specific environment you want to use. The format for the URL must be: `https://your-environment.vault.azure.net`
Service principal ID	The subscription ID/client ID of the account that will be used to access the vault. For security reasons, the account used to access the vault must not be a user account. The subscription ID is normally made of alpha-numerical characters, normally separated by a '-': `test1234-0a1b-2cd3-abcdef567890` In Azure, this type of account is called service principal, and is generated by Azure, along with its password. In Centrify, this account is called the machine client, and is generated by Centrify, along with its password.
Service principal password	The client secret of the account which will be used to connect to the vault.
Tenant/App ID	The Directory ID/Tenant ID of your domain. This ID is normally made of alpha-numerical characters, normally separated by a '-': `test1234-0a1b-2cd3-abcdef567890` For Azure the domain is called a Tenant. For Centrify the domain is called an App.

To modify existing connections, select them from the Vault connection drop-down list.

Procedure - adding vault variables

The procedure is similar to adding process variables, but you provide information on the vault connection and secret instead of manually entering a variable value.

Click on the key icon in the toolbar to open the Vault preferences window.
Click on the Vault variables tab.
Click on the plus icon Select how many variables you want to create from the spin box.
For each new variable:
1. enter a unique name, which will be used in Rulex to reference the vault variable.
2. select the name of the connection you previously set up to the vault that contains the required reserved item of information
3. enter the exact name of the specific variable (secret) as it was saved in the vault.
Click Save to save the vault variables.

Once set, Vault variables have priority over runtime and process variables.

Consequently, when a workflow is executed, variable values will be taken from:

the corresponding vault variable, if present.
the corresponding runtime variable, if present
the corresponding process variable, if present.