This document explains how you can store secrets (such as passwords, API keys,
or certificates) in an external vault—such as CyberArk—and securely pull them
into the Google Security Operations platform for use in various configurations.
You can reference vault credentials in the following locations:
Enterprise organizations can pull credentials from their central vault to
reduce the risk of unauthorized use of passwords.
Managed Security Service Providers (MSSPs) can pull client credentials
directly from the client's vault, without exposing passwords to their staff.
Download and configure the vault integration
To install and configure the vault integration, follow these steps:
Go to the Marketplace (or Content Hub for Google SecOps customers) and install the CyberArk PAM integration.
Configure the integration using one of these methods:
During installation (for the default environment).
Go to Response > Integrations Setup and select the appropriate environment.
If you're using an on-premises vault with a remote agent, all third-party
integrations (whether cloud-based or on-premises) must be configured under
the same remote agent so it can access the vault.
Once saved, the vault credentials become available to other integrations.
Use vault secrets in configurations
Use the following syntax to securely reference secrets stored in the external vault:
To configure a job with a vault password, follow these steps:
Go to Response > Jobs Scheduler.
Click
add
Add and choose an integration (for example, Google SecOps Sync Job).
In the API Root field, enter the vault syntax.
Create a custom integration to use vault credentials
Use Actions, Connectors, or Jobs
to pull vault credentials from the external vault by configuring the relevant
integration parameter with the external vault syntax.
Use the following snippet on your code (Param A, which should contain the vault
pattern):
If you've configured the vault configuration as integration in Shared
instances, you can pull the credentials from the integration
configuration instead of the job configuration. Use the following snippet
(Param A should contain the vault pattern):
Only commercial vault integrations from the Google SecOps
Marketplace are supported.
Updating the vault configuration automatically applies new credentials
across actions, jobs, and connectors.
There's a server validation for the vault placeholder. You can save a vault
placeholder only if the referenced vault exists and you're authorized to access it.
Vault access using an agent is supported only in version
1.4.1.52 or later.
Known limitations
When you create custom vault integrations with the vault credential feature, you
must match the dependency versions exactly to the following table:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle SecOps SOAR allows users to integrate with external vault systems like CyberArk to securely store and manage credentials such as passwords, API keys, and certificates.\u003c/p\u003e\n"],["\u003cp\u003eCredentials from the external vault can be pulled and used within Integrations, Connectors, and Jobs within the SOAR platform, enhancing security by preventing unauthorized password use and allowing MSSPs to manage customer credentials securely.\u003c/p\u003e\n"],["\u003cp\u003eExternal vault deployment can be configured as either a cloud instance or an on-premise instance using a remote agent, and both require the correct configuration of agents to access the cloud vault or on-prem system.\u003c/p\u003e\n"],["\u003cp\u003eA specific formula, \u003ccode\u003e[EnvironmentName:::VaultIntegrationName:::VaultIntegrationInstanceName:::PasswordID]\u003c/code\u003e, is used to reference and retrieve secrets from the vault within SOAR configurations for integrations, connectors, and jobs.\u003c/p\u003e\n"],["\u003cp\u003eCustom integrations can be created to work with external vaults, using specific code snippets provided to pull credentials, along with specific requirements for the versions of dependencies being used for custom vault integrations.\u003c/p\u003e\n"]]],[],null,["# Work with an external vault system\n==================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how you can store secrets (such as passwords, API keys,\nor certificates) in an external vault---such as CyberArk---and securely pull them\ninto the Google Security Operations platform for use in various configurations.\n| **Note:** The Google Security Operations platform only supports CyberArk PAM.\n\n\nYou can reference vault credentials in the following locations:\n\n- [Integrations](#download-configure-vault-integration)\n- [Connectors](#configure-connector-with-vault-pw)\n- [Jobs](#configure-job-with-vault-pw)\n\nThe following deployment types are supported:\n\n- Cloud vault instance\n\n-\n On-premises vault instance (using remote agent)\n\nUse cases\n---------\n\n-\n Enterprise organizations can pull credentials from their central vault to\n reduce the risk of unauthorized use of passwords.\n\n-\n Managed Security Service Providers (MSSPs) can pull client credentials\n directly from the client's vault, without exposing passwords to their staff.\n\n### Download and configure the vault integration\n\nTo install and configure the vault integration, follow these steps:\n\n1. Go to the **Marketplace** (or **Content Hub** for Google SecOps customers) and install the CyberArk PAM integration.\n2. Configure the integration using one of these methods:\n - During installation (for the default environment).\n - Go to **Response \\\u003e Integrations Setup** and select the appropriate environment.\n3.\n If you're using an on-premises vault with a remote agent, all third-party\n integrations (whether cloud-based or on-premises) must be configured under\n the same remote agent so it can access the vault.\n\n4. Once saved, the vault credentials become available to other integrations.\n\n\u003cbr /\u003e\n\n### Use vault secrets in configurations\n\n\nUse the following syntax to securely reference secrets stored in the external vault:\n\n- **Syntax** : `[EnvironmentName:::VaultIntegrationName:::VaultIntegrationInstanceName:::PasswordID]`\n- **EnvironmentName** : Name of the environment where the integration is configured (see **Settings \\\u003e Integrations**).\n- **VaultIntegrationName**: Name of the vault integration downloaded from the Marketplace.\n- **VaultIntegrationInstanceName**: Name of the integration instance (the configured vault within the environment).\n- **PasswordID** : The password identifier from your vault directory. \n\n Example: \n\n ```\n [Default\n Environment:::CyberArkPAM:::CyberArkPAM_1:::33_3]\n ```\n\n\u003cbr /\u003e\n\n### Configure an integration with a vault password\n\nThe following example shows how to configure the email integration with a CyberArk password:\n\n1. Go to **Response \\\u003e Integrations Setup** ; the **Integrations** screen appears.\n2. Select the target environment where you want to configure the integration.\n3. Click add**Add** , then choose the **Email** integration.\n4. Fill in the integration parameters. For **Password** , use the vault syntax: \n\n ```\n [DefaultEnvironment:::CyberArkPAM:::CyberArkPAM_1:::33_3]\n ```\n . \n | **Note:** Because the **Password** field masks password input, we recommend creating and verifying the vault syntax in a plaintext field before copying it into the **Password** field.\n5. Select the **Remote Agent Run Remotely** checkbox, as CyberArk PAM is an on-premises vault.\n6. Click **Save**. At runtime, the platform retrieves the password from the external vault.\n\n#### Considerations\n\n- **For on-premises vaults**: Make sure both the vault and integration run remotely under the same agent.\n- **For cloud vaults with on-prem integrations**: Make sure the remote agent has access to the cloud vault.\n\n### Configure a connector with a vault password\n\nTo configure a connector with a vault password, follow these steps:\n\n1. Go to **Settings \\\u003e Ingestion \\\u003e Connectors**.\n2. Click add **Add** to create a new connector. For this example, choose the **Generic\n IMAP Email** connector.\n3. Enter the appropriate parameters.\n4. In the **Password** field, add the following: \n\n ```\n [Default Environment:::CyberArkPAM:::CyberArkPAM_1:::33_3]\n ```\n .\n\n### Configure a job with a vault password\n\nTo configure a job with a vault password, follow these steps:\n\n1. Go to **Response \\\u003e Jobs Scheduler**.\n2. Click add **Add** and choose an integration (for example, **Google SecOps Sync Job**).\n3. In the **API Root** field, enter the vault syntax.\n\n### Create a custom integration to use vault credentials\n\n\nUse **Actions** , **Connectors** , or **Jobs**\nto pull vault credentials from the external vault by configuring the relevant\nintegration parameter with the external vault syntax.\n\n\nUse the following snippet on your code (**Param A**, which should contain the vault\npattern): \n\n```\nintegration_param = siemplify.extract_configuration_param(provider_name=INTEGRATION_NAME,param_name=\"Param A\")\n```\n\n\n**Connectors**can pull credentials from external vault by\nconfiguring the relevant connector parameters with the external vault\nsyntax.\n\n\nUse the following snippet on your code (**Param B**, which should contain the vault\npattern): \n\n```\nconnector_param = siemplify.extract_connector_param(\"Param B\", default_value=None, input_type=str)\n```\n\n\n**Jobs** can pull credentials from external vault by configuring\nthe relevant job param with the external vault syntax.\n\n\nUse the following snippet on your code (**Param C** should contain the vault\npattern): \n\n```\njob_param = siemplify.extract_job_param(param_name\"Param C\", print_value=True)\n```\n\n\nIf you've configured the vault configuration as integration in **Shared\ninstances** , you can pull the credentials from the integration\nconfiguration instead of the job configuration. Use the following snippet\n(**Param A** should contain the vault pattern): \n\n```\nintegration_param =\n siemplify.extract_configuration_param(provider_name=INTEGRATION_NAME,param_name=\"Param\n A\")\n```\n\nAdditional information\n----------------------\n\n- Only commercial vault integrations from the Google SecOps Marketplace are supported.\n- Updating the vault configuration automatically applies new credentials across actions, jobs, and connectors.\n- There's a server validation for the vault placeholder. You can save a vault placeholder only if the referenced vault exists and you're authorized to access it.\n- Vault access using an agent is supported only in version 1.4.1.52 or later.\n\nKnown limitations\n-----------------\n\n\nWhen you create custom vault integrations with the vault credential feature, you\nmust match the dependency versions exactly to the following table:\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
