Steps to configure an external credential vault in RPA Hub

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Steps to configure an external credential vault in RPA Hub

    This guide provides a structured approach to configure an external credential vault in ServiceNow's RPA Hub, enabling secure integration and credential management via an external vault like CyberArk. Following these steps ensures proper setup, alignment with required JSON schemas, and secure connection establishment to leverage external credential storage.

    Show full answer Show less

    Step 1: Create a Subflow for External Vault Integration

    • Create a subflow in Workflow Studio designed to interact with your external credential vault, using the sample Demo CyberArk Subflow as a reference.
    • The subflow must accept input in JSON format, typically containing appID and query keys, to receive parameters from robot credentials, application credentials, or TOTP authenticators.
    • Use REST or alternative integration steps (such as SOAP) within the subflow to communicate with the external vault.
    • Ensure the subflow output strictly complies with the specified JSON schema, which includes a result object detailing status ("success" or "failure"), credential data (including mandatory sensitiveValue), or error information. Non-compliance will cause validation errors.
    • Define the subflow output JSON structure explicitly with either a success or failure response format to align with RPA GraphQL API requirements.

    Step 2: Create an External Credential Vault Record

    Create a record in RPA Hub representing your external credential vault. Use the Demo CyberArk vault as a template to properly configure this record.

    Step 3: Establish a Secure Connection

    • Configure a connection record within ServiceNow’s Connections and Credentials module to link the RPA Hub with your external vault.
    • Ensure this connection complies with your organizational security standards.
    • Reference the Demo CyberArk Subflow which uses a specific connection and credential alias for CyberArk integration.

    Step 4: Configure Credentials to Use the External Vault

    • In robot credential, application credential, or TOTP authenticator records, enable the External Credential checkbox.
    • Select the external credential vault record created in Step 2.
    • Populate the Subflow Input field with a valid JSON object that contains necessary parameters to retrieve credentials from the external vault.
    • Refer to respective guides on creating robot credentials, application credentials, and TOTP authenticators within RPA Hub for detailed configuration instructions.

    Key Outcomes

    • Secure and standardized integration of external credential vaults with RPA Hub, allowing robots and applications to retrieve sensitive credentials without hardcoding them.
    • Validation of subflow input and output ensures reliable communication and error handling between RPA Hub and the credential vault.
    • Maintains organizational security compliance by leveraging ServiceNow’s connection management and credential aliasing.

    Use this list of steps to guide you through all the tasks of configuring an external credential vault in RPA Hub.

    Complete all the tasks for a step before moving on to the next step.

    Do the steps in the order that they’re presented.

    Table 1. Steps to configure an external credential vault in RPA Hub
    Task Reference
    1. Create a subflow to integrate your external credential vault. For more information, see Create a subflow in Workflow Studio. For reference, see the sample Demo CyberArk Subflow in your ServiceNow instance.
    1.A. Verify that the subflow that you’re creating to integrate with the External Credential Vault, must have an input type as JSON.

    This input takes the value from the Subflow Input field of the Robot Credential, Application Credential, or Time-based One-time Password (TOTP) Authenticator.

    For example, the robot credential or application credential or TOTP authenticators that are using the Demo CyberArk external credential vault, must align with the following JSON format:

    { 
"appID" : "",
"query" : ""
}
    Populate values for appID and query.
    1.B. You can use the REST Step in the subflow to connect with the external credential vault. You can also use other integration steps such as SOAP. For more information, see Workflow Studio steps.
    1.C. Verify that the output of your subflow must be aligned with the following JSON schema.
    {
    "$schema": "http://json-schema.org/draft-07/schema#",
    "type": "object",
    "properties": {
        "result": {
            "type": "object",
            "properties": {
                "status": {
                    "type": "string",
                    "enum": ["success", "failure"]
                },
                "data": {
                    "type": "object",
                    "properties": {
                        "username": {
                            "type": "string"
                        },
                        "sensitiveValue": {
                            "type": "string"
                        },
                        "additionalData": {
                            "type": "object"
                        }
                    },
                    "required": ["sensitiveValue"]
                },
                "error": {
                    "type": "object",
                    "properties": {
                        "errorType": {
                            "type": "string"
                        },
                        "errorMessage": {
                            "type": "string"
                        },
                        "additionalErrorData": {
                            "type": "object"
                        }
                    },
                    "required": ["errorMessage"]
                }
            },
            "required": ["status"]
        }
    },
    "required": ["result"]
};
    		 This schema is used by the Robotic Process Automation (RPA) GraphQL APIs to validate the subflow output. If the output isn’t aligned with this schema, an error is encountered.

    Error Message: The JSON received from the subflow deviates from the expected JSON schema. Rectify the JSON structure by aligning it with the specified schema in the documentation.
    1.D. You can align with the expected JSON schema (mentioned in 1.C) by defining a JSON output with the name 'result' for the Subflow. For success status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and sensitiveValue keys are required.
    {
  "status": "success", //Mandatory
  "data": {
    "username": "",
    "sensitiveValue": "" //Mandatory
    "additionalData": {}
  }
}

    For failure status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and errorMessage keys are required.

    {
  "status": "failure", //Mandatory
  "error": {
    "errorType": "",
    "errorMessage": "", //Mandatory
     "additionalErrorData": {}
  }
}
    2. Create an external credential vault record. For more information, see Create an external credential vault record in RPA Hub. For reference, see the sample Demo CyberArk external credential vault in your ServiceNow instance.
    3. Establish a connection with an external credential vault by using the ServiceNow Connections and Credentials. For more information about creating an active connection, see Create an HTTP(s) connection.

    While configuring the connection record, verify to align with your organizational security requirements.

    		 For reference, see the sample Demo CyberArk Subflow that uses RPA CyberArk connection and credential alias.

    Create a connection record in this connection and credential alias to establish connection with your CyberArk external vault.
    4. To use the external credential vault record, that you created in step 2, navigate to either robot credential, application credential, or TOTP authenticator and select the External Credential check box.

    Also, select a record in the External Credential Vault field and populate the Subflow Input field with a valid JSON object. The JSON must contain the necessary information for retrieving credentials from the external credential vault.

    		 For more information about configuring these fields, see Create a robot credential in RPA Hub, Create an application credential in RPA Hub, and Create a TOTP authenticator in RPA Hub.