Skip to main content
This page covers how to configure Secrets Management for a resource role — in the Web App or via the CLI — plus the reference syntax for each supported provider: HashiCorp Vault, AWS Secrets Manager, and Env JSON.
For an introduction to what Secrets Management does, see the Secrets Management overview.
Provider credentials are read by the agent. The provider’s environment variables (for example VAULT_ADDR / VAULT_TOKEN, or AWS region and credentials) must be exposed on the machine running the agent — not on the gateway.

Configure in the Web App

When you create or edit a resource role (Setup your Resource roles), pick a Role connection method:
  • Manual Input — enter credentials directly (host, user, password, port, and other connection details).
  • Secrets Manager — fetch credentials from a secrets provider automatically.
  • AWS IAM Role — assume an IAM role to authenticate to AWS resources. This is a separate method — see RDS IAM Authentication for that flow.
Choosing Secrets Manager reveals a Secrets manager provider dropdown:
  • HashiCorp Vault — KV version 1
  • HashiCorp Vault — KV version 2
  • AWS Secrets Manager
The Web App automates the reference prefix based on the selected provider — you don’t have to type _aws: / _vaultkv1: / _vaultkv2: by hand. Each field (Host, User, Pass, Port, DB, SSL Mode) also has its own source selector, so you can mix sources within a single role — for example, pull the password from Vault while entering the host manually.
The Web App is a convenience layer over the same backend integration documented below — the prefixes it generates are exactly the per-provider syntax in the following sections. Env JSON is available only via the CLI, not in the Web App.

AWS Secrets Manager Provider

This provider allows for the expansion of environment variables from an AWS key-value secret or a literal one.

Credentials Configuration

It requires an instance profile in the agent with the permissions below: Required IAM Roles
  • secretsmanager:GetSecretValue
  • secretsmanager:GetResourcePolicy
  • secretsmanager:DescribeSecret
  • secretsmanager:ListSecretVersionIds
Make sure to export the AWS_REGION environment variable in the machine running the agent.

Syntax

  • _aws:SECRET-NAME:SECRET-KEY
A secret configured as:
Can be exposed to an environment variable in a resource role as:
  • _aws:pgprod:PG_HOST
  • _aws:pgprod:PG_PORT
Example:
  • MYSECRET=_aws:prod-secret-name:MYSECRET
The environment key value will be replaced when the user opens a session with the agent.

Testing

Create a bash resource role.
Then, execute the env command to dump the environment variables of a session.

HashiCorp Vault Provider

This provider expands environment variables from an Vault Key Value Secrets Engine. It supports versions 1 and 2.

Configuration

It requires the environment variables exported in the machine running the agent. The implementation follows the specification of the Vault Cli and it’s limited to the configuration below:
Example of how to define expose the env VAULT_CACERT

App Role Authentication

The approle auth method allows machines or apps to authenticate with Vault-defined roles. This auth method is oriented to automated workflows (machines and services), and is less useful for human operators. The agent will perform a request to POST /auth/approle/login and obtain a valid token to access secrets in Vault Key Value store. Make sure to configure the environment variables when deploying the agent:
It’s important to use batch tokens when using the App Role method. Refer to Vault App Role documentation for more information.

Testing

1

Install Vault

This step requires a Vault installation, for the sake of this documentation we recommend using a Vault development server. Check the getting started with dev server
You can use the option -dev-listen-address="0.0.0.0:8200" to expose the Vault Server to your host network.
2

Configure Secrets

  • The command below will enable and configure a secret in a KV version 1
A resource role could be mapped using the following syntax:
  • _vaultkv1:SECRETNAME:SECRET-KEY
Set this as the resource role’s field value. In the Web App, selecting HashiCorp Vault — KV version 1 as the provider applies the _vaultkv1: prefix automatically (see Configure in the Web App).
3

Testing

Go to the Webapp and run a query in this Resource Role.

Env Json Provider

This provider allows the exposure of environment variables from an agent by exposing a JSON environment variable. It is useful for maintaining compatibility with older runops agents.

Syntax

  • _envjson:MYJSON_ENV:ENVKEY
So an environment variable configured in an agent:
  • ENV_CONFIG='{"PG_HOST": "127.0.0.1", "PG_DB": "testdb"}'
Can be exposed to an environment variable in a resource role as:
  • _envjson:ENVCONFIG:PG_HOST

Testing

Create a bash resource role.
Then, execute the env command to dump the environment variables of a session.