HashiCorp Vault is a credential store that handles the security and compliance layer by storing credentials. Standardization and consistency are the key benefits that customers get from using vault in general and together with ServiceNow ITOM Applications.
The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier from the instance, and then uses a “Credential Resolver” to resolve the identifier from the repository into a usable credential.
Vault can now integrate with ServiceNow for credential management with the Vault Credential Resolver integration now available in the ServiceNow App Store OOTB, more details are below –
https://www.hashicorp.com/blog/hashicorp-vault-integrates-with-servicenow-for-credential-management
There is an amazing video available on youtube which explains the integration step by step and might just answer any query you may have at this moment -
Video - Product Demo of vault working with ServiceNow
Prerequisites
- ServiceNow version Quebec+ (untested on previous versions)
- MID server version Quebec+ (untested on previous versions)
- Discovery and external credential plugins activated on ServiceNow
- Working Vault deployment accessible from the MID server
HashiCorp team to follow these steps to configure the vault -
- Select your desired auth method from Agent's supported auth methods and set it up in Vault
For example, to set up AppRole auth and a role called role1 with the demo policy attached:
vault auth enable approle
vault write auth/approle/role/role1 bind_secret_id=true token_policies=demo
To get the files required for the example Agent config below, you can then run:
echo -n $(vault read -format json auth/approle/role/role1/role-id | jq -r '.data.role_id') > /path/to/roleID
echo -n $(vault write -format json -f auth/approle/role/role1/secret-id | jq -r '.data.secret_id') > /path/to/secretID
- Create an agent.hcl config file. Your exact configuration may vary, but you must set use_auto_auth_token = true, and the listener, vault, and auto_auth blocks are also required to set up a working Agent, e.g.:
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = false
tls_cert_file = "/path/to/cert.pem"
tls_key_file = "/path/to/key.pem"
}
cache {
use_auto_auth_token = true
}
vault {
address = "http://vault.example.com:8200"
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/path/to/roleID"
secret_id_file_path = "/path/to/secretID"
remove_secret_id_file_after_reading = false
}
}
}
- Install Vault Agent as a service running vault agent -config=/path/to/agent.hcl
Documentation for Windows service installation here
ServiceNow to configure the following –
- Install the application from the SN store
- Uploading JAR file to MID server
- Download the latest version of the Vault Credential Resolver JAR file from releases.hashicorp.com
- In ServiceNow, navigate to "MID server - JAR files" -> New
- Manage Attachments -> upload Vault Credential Resolver JAR
- Fill in name, version, etc as desired
- Click Submit
- Navigate to "MID server - Properties" -> New
- Set Name: external_credentials.vault.address, Value: Address of Vault Agent listener from previous step, e.g. http://127.0.0.1:8200
- Optional: Set the property mid.external_credentials.vault.ca to the trusted CA in PEM format if using TLS between the MID Server and Vault Agent with a self-signed certificate.
Vault Agent Auto-Auth Methods
To setup credentials in HashiCorp which can be referred by ServiceNow, the HashiCorp team needs to follow these steps based on the credential type -
https://www.vaultproject.io/docs/agent/autoauth
Architecture
If the article has helped you, please bookmark it or mark the answer as helpful. Also please share your feedback in the comments.
Thank you
Harneet
