Key vault secrets

Cloud agents don't support key vault secrets.

To use confidential data with Tosca Cloud, you can integrate a key vault provider. This lets you to fetch passwords or sensitive information from a key vault and use them in your tests. When you do so, Tosca Cloud uses the fetched value only for a short period of time, without storing it.

It offers the following advantages:

  • Improved secret management, as you don't need to update sensitive information in Tosca Cloud anymore.

  • Improved security, as Tosca Cloud only stores the path to the secret key.

  • Improved data protection, as sensitive information is excluded from logs or test results.

To see a list of supported key vaults, see chapter "System requirements".

Limitations

The following limitations apply when using a key vault with Tosca Cloud:

  • You can't add, update, or manipulate any secrets in your key vault with Tosca Cloud.

  • You can only fetch secrets with action mode Input or action mode Insert and data type Secret.

  • You can't combine secrets with other any other text in your test steps.

  • You can't fetch secrets in a special execution task. We recommended fetching secrets with scanned modules only.

Fetch secrets

To fetch secrets from a key vault, you must first prepare your system under test:

  • Set up the key vault on the machine where you run your tests.

  • Stay signed in to your key vault at all times during test runs.

  • For AWS Key Management Service and Azure Key Vault, keep the CLI open at all times while running your test.

After preparing the SUT, use the dynamic expression {SECRET} and the syntax for your specific key vault provider:

Enter the {SECRET[aws][<Region>][<SecretName>]} syntax to fetch secrets.

  • Optionally, replace the parameter <Region> with the name of the AWS region if you don't want to use your default region.

  • Replace the parameter <SecretName> with the AWS Secret name.

For example, {SECRET[aws][us-west-2][Username]}.

Enter the {SECRET[cyberark][<SecretPath>][<FieldName>][<CyberArkAppId>]} syntax to fetch secrets.

  • Replace the parameter <SecretPath> with the path to the secret in your CyberArk Credential Provider.

  • Replace the parameter <FieldName> with the name of the field that contains the secret.

  • Replace the parameter <CyberArkID> with the CyberArk application ID.

For example, {SECRET[cyberark][My-safe/sso-account][username][TRICENTIS_APPID]}.

Enter the {SECRET[hashicorp][<SecretPath>][<FieldName.]} syntax to fetch secrets.

  • The parameter hashicorp is optional. For backwards compatibility, Tosca Cloud uses HashiCorp if you don't specify a key vault provider. No need to update existing TestSteps that use HashiCorp Vault.

  • Replace the parameter <SecretPath> with the path to the secret inside in your HashiCorp Vault.

  • Replace the parameter <FieldName> with the name of the field that contains the secret.

For example, {SECRET[kv/database/production/pw][Password]}.

Enter the {SECRET[azure][<KeyVaultURI>][<SecretName>]} syntax to fetch secrets:

  • Replace the parameter <KeyVaultURI> with the Vault URI of your Azure Key Vault.

  • Replace the parameter <SecretName> with name of the secret in your Azure Key Vault.

  • For example, {SECRET[azure][https://examplecorp.vault.azure.net/][Password]}.

In this example, your key vault is HashiCorp Vault. You fetch the field DBPassword, which is located at kv/database/production/pw. To fetch this secret, you use the following syntax:

{SECRET[hashicorp][kv/database/production/pw][DBPassword]}

Steer MFA/SSO

You can steer MFA/SSO by generating one-time passwords (OTP) with Tosca Cloud. To do so, store the code to generate OTPs in your key vault.

Tosca Cloud only supports time-based OTPs. You can't steer MFA that relies on push notifications.

To generate a one-time password, use the dynamic expression {OTP} and the syntax for your key vault vendor.

Additional configurations

Specify a different timeout value

By default, Tosca Cloud waits 20 seconds for the key vault response before a request fails. If the default value is too short, you can specify a longer timeout value.

To do so, create a test configuration parameter (TCP) named KeyVaultCommandTimeout and specify the new timeout value in milliseconds.

Specify a different path to the key vault executable

In some cases, Tosca Cloud can't find the path to your local key vault. If this happens, you need to manually specify the path.

To do so, create a TCP named KeyVaultPath and specify the path to the key vault executable:

  • For Hashicorp, enter the path to the vault.exe file or its containing directory.

  • For CyberArk, enter the path to the folder that contains NetStandardPasswordSDK.dll or its containing directory.

Additionally, you can specify the path by using the PATH environment variable.