MicroStrategy ONE

Create, Edit, and Delete Vault Connections

MicroStrategy ONE (December 2024) adds support for HashiCorp and Amazon Web Services (AWS) vault connection types.

MicroStrategy ONE (September 2024) introduces the ability to create, edit, and delete vault connections. It facilitates the creation of database logins based on vault secrets retrieved from CyberArk Central Credential Provider.

Use vaults connections to allow the MicroStrategy Intelligence Server to retrieve data from your externally stored credentials. Vault connections provide you the ability to store credentials inside your corporate systems rather than MicroStrategy to maintain confidentiality, integrity, and availability of sensitive information.

Prerequisites

To manage vault-based database logins, you need the Create and edit vault connections privilege.

Create a CyberArk Vault Connection

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.

  3. Click Vault Connections to view all vault connections.

  4. Click Add New Vault Connection.

  5. Enter values in the following fields:

    • Name: Type a name for your connection.

    • Type: Choose CyberArk.

    • URL: Enter your CyberArk environment URL.

    • Safe Name: Type the name of the CyberArk safe you want to connect to.

    • Authentication Mode: Choose Mutual TLS.

    • Client Certificate: Click Select a File, select your certificate file, and click Open.

    • Client Key: Click Select a File, select your certificate file, and click Open.

  6. Click Save.

    CyberArk Central Credential Provider may utilize caching for improved performance. See CyberArk’s official documentation for more details. If caching is enabled, run the following command to refresh the cache after adding or updating database credentials in CyberArk.

    Copy 
    AppPrvMgr.exe RefreshCache 

Create a HashiCorp Vault Connection

MicroStrategy supports reading Key-Value (KV) secret engines (version 1 and 2) and database secrete engines with static roles from HashiCorp Vault Community Edition, HashiCorp Cloud Platform Vault Dedicated, or HashiCorp Vault Enterprise. For HashiCorp vault connection considerations, see HashiCorp Vault Connection Considerations.

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.

  3. Click Vault Connections to view all vault connections.

  4. Click Add New Vault Connection.

  5. Enter values in the following fields:

    • Name: Type a name for your connection.

    • Type: Choose HashiCorp Vault Community Edition, HashiCorp Cloud Platform Vault Dedicated, or HashiCorp Vault Enterprise.

    • URL: Enter your HashiCorp environment URL.

    • Namespace: Type your HashiCorp namespace. This option is only available for HashiCorp Cloud Platform Vault Dedicated and HashiCorp Vault Enterprise.

      For more information on HashiCorp namespaces, see HCP Vault Dedicated Namespace Considerations.

    • Secret Path: Enter the path where your HashiCorp secrets are stored.

    • Authentication Mode: Choose Mutual TLS.

    • Client Certificate: Click Select a File, select your certificate file, and click Open.

    • Client Key: Click Select a File, select your certificate file, and click Open.

    • CA Certificate: Click Select a File, select your certificate file, and click Open.

      For more information on creating a certificates, see Central Credential Provider Web Service Configuration.

  6. Click Save.

HashiCorp Vault Connection Considerations

  • TLS certificate authentication is disabled out-of-the-box by HashiCorp for HashiCorp Cloud Platform Vault Dedicated environments. Therefore, ensure you submit a support request and follow TLS Certificate Authentication to enable TLS authentication.

  • When using Key-Value (KV) secret engines, ensure the database credential is saved in the username and password keys. See the following example for the sampleKVSecretEngine secret path and sampleSecret secret name where the username and password is saved in the engine keys.

  • Ensure that the secret name is non-nested for all HashiCorp versions. For example, you can use secretName but not secretName/subpath.

Create an Amazon Web Services (AWS) Secrets Manager Vault Connection

MicroStrategy uses Access Key authentication mode, which is based on Identity Access Management (IAM), to get secrets from AWS. For AWS Secrets Manager vault connection considerations, see AWS Secret Manager Vault Connection Considerations.

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.

  3. Click Vault Connections to view all vault connections.

  4. Click Add New Vault Connection.

  5. Enter values in the following fields:

    • Name: Type a name for your connection.

    • Type: Choose AWS Secrets Manager.

    • Authentication Mode: Choose Access Key.

    • Region: Choose the vault AWS region.

    • Access Key ID: Enter your AWS access key ID.

    • Secret Access Key: Enter your AWS secret access key.

      For more information on AWS access keys, see Manage access keys for IAM users. For more information on granting permission for AWS Secrets Manager, see Authentication and Access Control for AWS Secrets Manager.

  6. Click Save.

AWS Secret Manager Vault Connection Considerations

Database and other secret types are supported for AWS Secrets Manager. For other secret types, use username and password key/value pairs to store your database credentials.

Modify an Existing Vault Connection

  1. To edit or delete a vault connection object, right-click it in the grid and choose Edit or Delete.

  2. To view general properties, the change journal, or security access for modifying ACLs, right-click a vault connection object and choose Properties.

  3. Click OK.

Related Topic

Create, Edit, and Delete Standalone Database Connections and Database Logins