Configure the Secrets Vault

Table of Contents

Delete Obsolete Cloud Identity Agent Certificates

Configure the Secrets Vault

Learn how to configure the password vault in the Cloud Identity Engine.

Where Can I Use This?	What Do I Need?
NGFW Prisma Access	The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.

Early in computing history, sensitive information (such as passwords and cryptographic keys) was usually stored in easily accessible locations, such as plaintext files or in the code itself. In addition, passwords were often reused in multiple locations and shared with colleagues using unencrypted methods. These behaviors could expose organizations to significant security risks by leaving sensitive data vulnerable to theft and misuse. When cyberattacks such as data breaches and hacking became more advanced and frequent, organizations needed to provide better security measures to protect their data.

One method of protecting this critical information is by using secrets vaults. A secrets vault:

Provides a centralized and secure storage method for sensitive information that can integrate with security and engineering processes.
Encrypts data for security.
Uses granular access to control who can view or change the information.
Logs activity for auditing purposes.

Using secrets vaults helps organizations reduce their attack surface, ensure compliance with regulations, and manage sensitive information more easily.

Configure user roles for the vault.

A superuser has full privileges for the secrets vault, including initialization, adding secrets and collections, and vault deletion.
1. Configure roles for users as needed.
  Vault Administrator—Grants all secrets vault access privileges to the user, including initialization, adding secrets and collections, and vault deletion.
  Vault View Only Administrator—Grants view-only secrets vault privileges to the user, enabling them to view all secrets vault data.
  
  Vault roles are add-on roles to the existing Common Services roles. You must configure them in combination with current roles. A standalone vault role can’t log in to the Cloud Identity Engine.
2. As you add new users, configure roles as necessary.
Log in to the Cloud Identity Engine.
If you have not already done so, configure users and groups using the following methods:
Select Secrets Vault.
If this is the first time using the secrets vault, complete the initial configuration.
1. Click Activate the Secrets Vault.
2. Click Create Secret.
Configure a secret.
1. Enter the Secret Name.
2. Enter the URLs that require this secret.
  
  Enter the URLs in standard RFC 3986 URI format (for example, https://www.example.com). You can configure up to 100 URLs for a single secret.
3. Enter the Username.
4. Enter the Password.
  Click the View Password (
  
  ) button to toggle visibility for the password.
5. Select the Collections if you have configured them.
  If you have not configured any collections, you can do so in the next step.
6. (Optional) Enter a Note.
  You can enter up to 1,000 characters for the note.
7. Grant Access to specific users or groups by specifying a user and access level.
  View and Use—Users can view and use the secret.
  Full Access—Users can add, edit, or delete the secret.
  Use Only—Users can use the secret.
  If there are no options available, refer to step 3.
8. Click Save.
(Optional) Configure a collection.
A collection lets you share secrets with specific users and groups.
1. Select the Collections tab.
2. If you have not created a collection before, click Create Collection. Otherwise, click Add Collection.
3. Enter the Collection Name.
4. Select the Secrets you want to include in the collection.
  You can configure up to 500 secrets for a collection.
5. (Optional) Enter a Note with additional information.
6. Grant Access by specifying users or groups and selecting the access type.
7. Click Save.
Associate a secret with a collection.
1. Select the secret.
2. Click Edit.
3. Select the Collections you want to associate with the secret.
4. Click Save.
Find more information about secrets and collections.
- Select a secret and click the Details tab to see associated collections, users and groups that can access the secret, and what type of access they have.
- Click the Look up for a user tab to enter a search query for a specific user who has access to the selected secret.
- Click the Collections tab and select a collection to view Details for the collection, including the number and names of associated secrets and when the secrets were added.
- View People with access to this collection by entering a search query and selecting a user.
Manage the secrets vault.
- Search the secrets vault by entering the search query. You can use filters to search by secret name, URL, or username. You can also specify which collections to search or search by creator name.
- Edit a secret by clicking the Edit (
  
  ) button. You can also select the secret then click Edit.
- Delete a secret by clicking the Delete (
  
  ) button and confirming the deletion.
- Change the password for a secret by selecting the secret, clicking Edit, and then, clicking Change Password. Enter the new password and click Save.
- Delete the secrets vault by clicking the Options button, selecting Delete Vault, and confirming the deletion.
  
  This action deletes the entire vault, including secrets and collections. To ensure continuation of services, verify that you have configured an alternate authentication method for any secrets vault users before completing this action.
Manage the collections.
- Search the collections by entering the search query. You can use filters to search by collection name or search by creator name.
- Edit a collection by clicking the Edit (
  
  ) button. You can also select the collection then click Edit.
- Delete a collection by clicking the Delete (
  
  ) button and confirming the deletion.