Secret stores

You can store user credentials in Hashicorp Vault and integrate with IBM DevOps Deploy (Deploy) to retrieve values from the Vault.

In Deploy, you store passwords as secured properties. For example, the database credentials. These passwords are stored in the database. Instead of storing the passwords in the database, you can store them in HashiCorp Vault. HashiCorp Vault is a third-party tool that stores and controls access to passwords and other secrets critical in modern computing.

The Deploy secret store enables you to retrieve user credentials during deployment without having stored the passwords in the database.

Deploy uses the following Vault authentication methods:
  • App Roles - A role-based authentication mechanism where you have a defined set of access. AppRole uses RoleID and SecretID as the master authentication mechanism which allows Deploy to get the passwords that an AppRole can access. For information about the Vault AppRole, refer to the Vault AppRole auth documentation.
  • LDAP Users - An LDAP-based authentication mechanism to call LDAP users from the Vault secret store. For information about the Vault LDAP, refer to the Vault LDAP auth documentation.
  • Certificates - An SSL/TLS client certificate-based authentication mechanism to call certificate from the Vault secret store. For information about the Vault TLS certificate, refer to the Vault TLS certificate auth documentation.

The Deploy secret store is different from the Vault secret store. Deploy secret stores can have multiple secret stores. Each secret store in Deploy can connect to a different Vault server.