»Configuring the Vault Credential Resolver

»MID server properties

The following properties are supported by the Vault Credential Resolver:

»Configuring discovery credentials

To consume Vault credentials from your MID server, you will need to:

  • Create a secret in Vault
  • Configure the resolver to use that secret

»Creating a secret in Vault

The credential resolver supports reading credentials from the following secret engines:

When creating K/V secrets, you must use the following keys for each component to ensure it is correctly mapped to ServiceNow's credential fields:

KeyDescriptionSupported aliases
usernameThe usernameaccess_key
passwordThe passwordsecret_key, current_password
private_keyThe private SSH key
passphraseThe passphrase for the private SSH key

Most ServiceNow credential types will expect at least a username and either a password or a private key. To help surface errors early, the credential resolver validates that a username and password are present for:

  • aws
  • basic
  • jdbc
  • jms
  • ssh_password
  • vmware
  • windows

And the credential resolver expects the following types to specify at least a username and a private key:

  • api_key
  • cfg_chef_credentials
  • infoblox
  • sn_cfg_ansible
  • sn_disco_certmgmt_certificate_ca
  • ssh_private_key

»Configuring the resolver to use a secret

In the ServiceNow UI:

  • Navigate to "Discovery - Credentials" -> New
    • Select a type from the list
    • Tick "External credential store"
    • Fill in a meaningful name
    • Set "Credential ID" to the path in Vault where your secret is located, e.g. for a KV v2 secret engine mounted at "secret", you might have a secret stored under "ssh": secret/data/ssh. Check the API docs for your secret engine if you are unsure of the path to use
    • Optional: Click "Test credential" and select a MID server and a target to test against to test everything is working