Steps to configure an external credential vault in RPA Hub

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:7分

    • Use this list of steps to guide you through all the tasks of configuring an external credential vault in RPA Hub.

    Complete all the tasks for a step before moving on to the next step.

    Do the steps in the order that they’re presented.

    表 : 1. Steps to configure an external credential vault in RPA Hub
    Task Reference
    1. Create a subflow to integrate your external credential vault. For more information, see Create a subflow in Workflow Studio. For reference, see the sample Demo CyberArk Subflow in your ServiceNow instance.
    1.A. Verify that the subflow that you’re creating to integrate with the External Credential Vault, must have an input type as JSON.

    This input takes the value from the Subflow Input field of the Robot Credential, Application Credential, or Time-based One-time Password (TOTP) Authenticator.

    For example, the robot credential or application credential or TOTP authenticators that are using the Demo CyberArk external credential vault, must align with the following JSON format:

    { 
"appID" : "",
"query" : ""
}
    Populate values for appID and query.
    1.B. You can use the REST Step in the subflow to connect with the external credential vault. You can also use other integration steps such as SOAP. For more information, see Workflow Studio steps.
    1.C. Verify that the output of your subflow must be aligned with the following JSON schema.
    {
    "$schema": "http://json-schema.org/draft-07/schema#",
    "type": "object",
    "properties": {
        "result": {
            "type": "object",
            "properties": {
                "status": {
                    "type": "string",
                    "enum": ["success", "failure"]
                },
                "data": {
                    "type": "object",
                    "properties": {
                        "username": {
                            "type": "string"
                        },
                        "sensitiveValue": {
                            "type": "string"
                        },
                        "additionalData": {
                            "type": "object"
                        }
                    },
                    "required": ["sensitiveValue"]
                },
                "error": {
                    "type": "object",
                    "properties": {
                        "errorType": {
                            "type": "string"
                        },
                        "errorMessage": {
                            "type": "string"
                        },
                        "additionalErrorData": {
                            "type": "object"
                        }
                    },
                    "required": ["errorMessage"]
                }
            },
            "required": ["status"]
        }
    },
    "required": ["result"]
};
    		 This schema is used by the Robotic Process Automation (RPA) GraphQL APIs to validate the subflow output. If the output isn’t aligned with this schema, an error is encountered.

    Error Message: The JSON received from the subflow deviates from the expected JSON schema. Rectify the JSON structure by aligning it with the specified schema in the documentation.
    1.D. You can align with the expected JSON schema (mentioned in 1.C) by defining a JSON output with the name 'result' for the Subflow. For success status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and sensitiveValue keys are required.
    {
  "status": "success", //Mandatory
  "data": {
    "username": "",
    "sensitiveValue": "" //Mandatory
    "additionalData": {}
  }
}

    For failure status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and errorMessage keys are required.

    {
  "status": "failure", //Mandatory
  "error": {
    "errorType": "",
    "errorMessage": "", //Mandatory
     "additionalErrorData": {}
  }
}
    2. Create an external credential vault record. For more information, see Create an external credential vault record in RPA Hub. For reference, see the sample Demo CyberArk external credential vault in your ServiceNow instance.
    3. Establish a connection with an external credential vault by using the ServiceNow Connections and Credentials. For more information about creating an active connection, see Create an HTTP(s) connection.

    While configuring the connection record, verify to align with your organizational security requirements.

    		 For reference, see the sample Demo CyberArk Subflow that uses RPA CyberArk connection and credential alias.

    Create a connection record in this connection and credential alias to establish connection with your CyberArk external vault.
    4. To use the external credential vault record, that you created in step 2, navigate to either robot credential, application credential, or TOTP authenticator and select the External Credential check box.

    Also, select a record in the External Credential Vault field and populate the Subflow Input field with a valid JSON object. The JSON must contain the necessary information for retrieving credentials from the external credential vault.

    		 For more information about configuring these fields, see Create a robot credential in RPA Hub, Create an application credential in RPA Hub, and Create a TOTP authenticator in RPA Hub.