Work with an external vault system

You can store your secrets (passwords, API keys, certificates) in an external vault (such as CyberArk) and then pull them into the Google SecOps platform.

The external vault can be configured to pull credentials in the following places: Integrations, Connectors and Jobs.

Two deployments support the external vault:

• Cloud vault instance

• On-premises vault instance (using remote agent)

Use cases

• An Enterprise organization wants to pull their credentials from the organizational vault to prevent unauthorized use of passwords.

• MSSPs want to pull their customer's credentials from the customer's vault so that the MSSP won't be exposed to the passwords.

Download and configure the vault integration

To download and configure the vault integration, follow these steps:

1. Go to the Marketplace and install the relevant vault integration. This example uses CyberArk PAM integration.
   

   

2. Either configure the integration through the Marketplace just for the Default Environment; alternatively, from the left navigation, go to Response > Integrations Setup and configure it there for whichever environment you need.

3. When working with an on-premises vault over a remote agent, all the third-party integrations (on-premises or cloud) need to be configured under the same remote agent (to make sure the agent has access to the on-premises vault).
   When working with cloud vault and on-premises integrations over agent, the agents need to have access to the cloud vault.

4. Once you've saved the vault credentials, you can use them within other integrations.

Add vault secrets

Use this formula wherever you need vault secrets:

• Secrets Formula:

  [EnvironmentName:::VaultIntegrationName:::VaultIntegrationInstanceName:::PasswordID]

• Environment Name;: the environment that you configured it on; you can find this information in Settings > Integrations.
• VaultIntegrationName: the name of the Vault Integration that you downloaded from the Marketplace.
• VaultIntegrationInstanceName: the name of the vault instance (the name of the integration on the environment), which you can find on Settings > Integrations
• PasswordID: this is copied from the vault directory itself. For example:

  [Default
    Environment:::CyberArkPAM:::CyberArkPAM_1:::33_3]

Configure an Integration with a Vault password

This example uses the Email integration that has been installed from the Marketplace.

1. From the left navigation, go to Response > Integrations Setup; the Integrations screen appears.
2. Choose the required environment that you want to configure the integration on.
3. On the right of the screen, click add Add and select the Email integration from the drop-down list.
   

   

4. Configure the parameters according to your needs. In the password section, add the following:
   

   [DefaultEnvironment:::CyberArkPAM:::CyberArkPAM_1:::33_3]

   .
   
5. Make sure to select the Remote Agent Run Remotely checkbox, as CyberArk PAM is an on-premises vault.
6. Click Save. During run time the platform takes the corresponding password from the external vault.
   
   Note:

   • If you're working with an on-premises vault and on-premises integration OR on-premises vault and cloud integration, make sure both of them are configured as "run remote" using the same agent.

   • If you're working with a cloud vault and on-premises integration, make sure that the remote agent has access to the cloud vault.

Configure a Connector with a vault password

To configure a connector with a vault password, follow these steps:

1. Go to Settings > Ingestion > Connectors.
2. Click add Add and create a new Connector. For this example, choose the Generic IMAP Email Connector.
3. Configure the Connector with the relevant parameters. In the password field add:

   [Default Environment:::CyberArkPAM:::CyberArkPAM_1:::33_3]

   .

Configure a Job with a vault password

To configure a Job with a vault password, follow these steps:

1. From the left navigation, go to Response > Jobs Scheduler.
2. Click add Add and create a new Job with the relevant integration. This example uses the Google SecOps Sync Job.
3. Configure the job as usual. In the API Root field, use the vault parameters.
   

   

Create a custom integration to work with an external vault

Actions can pull credentials from external vault by configuring the relevant integration parameter with the external vault syntax.

Use the following snippet on your code (Param A, which should contain the vault pattern):

integration_param = siemplify.extract_configuration_param(provider_name=INTEGRATION_NAME,param_name="Param A")

Connectors can pull credentials from external vault by configuring  the relevant connector parameters with the external vault syntax.

Use the following snippet on your code (Param B, which should contain the vault pattern):

connector_param = siemplify.extract_connector_param("Param B", default_value=None, input_type=str)

Jobs can pull credentials from external vault by configuring the relevant job param with the external vault syntax.

Use the following snippet on your code (Param C should contain the vault pattern):

job_param = siemplify.extract_job_param(param_name"Param C", print_value=True)

If you've configured the vault configuration as integration in >Shared instances, you can pull the credentials from the integration configuration instead of the job configuration: use the following snippet (Param A should contain the vault pattern):

integration_param =
  siemplify.extract_configuration_param(provider_name=INTEGRATION_NAME,param_name="Param
  A")

Additional information

• The external vault can work only with a commercial vault integration downloaded from the Google SecOps marketplace.
• If you update the vault settings (vault instance configuration), the actions, jobs, and connectors will be updated as well with the new credentials automatically.
• There's a server validation for the vault placeholder. You can use the placeholder and save it only if there's an existing vault instance, and you have permissions to the vault instance environment.
• External vault over agent is supported only in agent version greater than 1.4.1.52

Known limitations

If you create custom vault integrations with the vault credential feature, you must match the dependency versions exactly to the following table: