Key vault secrets

To use confidential data with Tosca, you can integrate a key vault provider. This lets you to fetch passwords or sensitive information from a key vault and use them in your tests. When you do so, Tosca uses the fetched value only for a short period of time, without storing it.

It offers the following advantages:

  • Improved secret management, as you don't need to update sensitive information in Tosca anymore.

  • Improved security, as Tosca only stores the path to the secret key.

  • Improved data protection, as sensitive information is excluded from logs or test results.

To see a list of supported key vaults, see chapter "System requirements".

Limitations

The following limitations apply when using a key vault with Tosca:

  • You can't add, update, or manipulate any secrets in your key vault with Tosca.

  • You can only fetch secrets with ActionMode Input or ActionMode Insert and DataType Secret.

  • You can't combine secrets with other any other text in your TestSteps.

  • You can't fetch secrets in a special execution task. We recommended fetching secrets with scanned modules only.

Fetch secrets

To fetch secrets from a key vault, you must first prepare your system under test:

  • Set up the key vault on the machine where you run your tests.

  • Stay signed in to your key vault at all times during test runs.

  • For AWS Key Management Service and Azure Key Vault, keep the CLI open at all times while running your test.

After preparing the SUT, use the dynamic expression {SECRET} and the syntax for your specific key vault provider:

Enter the {SECRET[aws][<Region>][<SecretName>]} syntax to fetch secrets.

  • Optionally, replace the parameter <Region> with the name of the AWS region if you don't want to use your default region.

  • Replace the parameter <SecretName> with the AWS Secret name.

For example, {SECRET[aws][us-west-2][Username]}.

Enter the {SECRET[cyberark][<SecretPath>][<FieldName>][<CyberArkAppId>]} syntax to fetch secrets.

  • Replace the parameter <SecretPath> with the path to the secret in your CyberArk Credential Provider.

  • Replace the parameter <FieldName> with the name of the field that contains the secret.

  • Replace the parameter <CyberArkID> with the CyberArk application ID.

For example, {SECRET[cyberark][My-safe/sso-account][username][TRICENTIS_APPID]}.

Enter the {SECRET[hashicorp][<SecretPath>][<FieldName]} syntax to fetch secrets.

  • The parameter hashicorp is optional. For backwards compatibility, Tosca uses HashiCorp if you don't specify a key vault provider. No need to update existing TestSteps that use HashiCorp Vault.

  • Replace the parameter <SecretPath> with the path to the secret inside in your HashiCorp Vault.

  • Replace the parameter <FieldName> with the name of the field that contains the secret.

For example, {SECRET[kv/database/production/pw][Password]}.

Enter the {SECRET[azure][<KeyVaultURI>][<SecretName>]} syntax to fetch secrets:

  • Replace the parameter <KeyVaultURI> with the Vault URI of your Azure Key Vault.

  • Replace the parameter <SecretName> with name of the secret in your Azure Key Vault.

  • For example, {SECRET[azure][https://examplecorp.vault.azure.net/][Password]}.

In this example, your key vault is HashiCorp Vault. You fetch the field DBPassword, which is located at kv/database/production/pw. To fetch this secret, you use the following syntax:

{SECRET[hashicorp][kv/database/production/pw][DBPassword]}

Steer MFA/SSO

You can steer MFA/SSO by generating one-time passwords (OTP) with Tosca. To do so, store the code to generate OTPs in your key vault.

Tosca only supports time-based OTPs. You can't steer MFA that relies on push notifications.

To generate a one-time password, use the dynamic expression {OTP} and the syntax for your key vault vendor.

In this example, you perform the following actions:

  • The TestStep Values E-Mail Address and Password fetch the secrets username and password. In this example, you store the username in CyberArk at My-safe/sso-account and the password in HashiCorp at kv/credentials.

  • You steer the TestStep Value Enter your MFA Code: with {OTP[cyberark][My-Safe/sso-account][password][TRICENTIS_APPID]}. This syntax expression tells Tosca to generate and insert a one-time password. Here, you have the MFA code in your CyberArk Credential Provider under My-Safe/sso-account.

  • You complete the authentication by clicking the Log in button.

Steering MFA by generating one-time passwords

Additional configurations

Specify a different timeout value

By default, Tosca waits 20 seconds for the key vault response before a request fails. If the default value is too short, you can specify a longer timeout value.

To do so, create a test configuration parameter (TCP) named KeyVaultCommandTimeout and specify the new timeout value in milliseconds.

Specify a different path to the key vault executable

In some cases, Tosca can't find the path to your local key vault. If this happens, you need to manually specify the path.

To do so, create a TCP named KeyVaultPath and specify the path to the key vault executable:

  • For Hashicorp, enter the full path to the executable file. Be sure to include the file name in the path.

  • For CyberArk, enter the directory path to the folder that contains NetStandardPasswordSDK.dll.