Create, Edit, and Delete Vault Connections

Strategy One (March 2025) adds support for Azure Key Vault, Google Secret Manager, and HashiCorp Cloud Platform Vault Secrets (Non-Dedicated).

MicroStrategy ONE (December 2024) adds support for HashiCorp and Amazon Web Services (AWS) vault connection types.

MicroStrategy ONE (September 2024) introduces the ability to create, edit, and delete vault connections. It facilitates the creation of database logins based on vault secrets retrieved from CyberArk Central Credential Provider.

Use vaults connections to allow the Strategy Intelligence Server to retrieve data from your externally stored credentials. Vault connections provide you the ability to store credentials inside your corporate systems rather than Strategy to maintain confidentiality, integrity, and availability of sensitive information.

See the following supported vault connections:

• Amazon Web Services Secrets Manager

• Azure Key Vault

• CyberArk

• Google Secret Manager

• HashiCorp Cloud Platform Value Dedicated, HashiCorp Vault Community Edition, and HashiCorp Vault Enterprise

• HashiCorp Cloud Platform Vault Secrets (Non-Dedicated)

Prerequisites

To manage vault-based database logins, you need the Create and edit vault connections privilege.

Create an Amazon Web Services (AWS) Secrets Manager Vault Connection

Strategy uses Access Key authentication mode, which is based on Identity Access Management (IAM), to get secrets from AWS. For AWS Secrets Manager vault connection considerations, see AWS Secret Manager Vault Connection Considerations.

1. Open the Workstation window.
2. In the Navigation pane, click Data Sources.

3. Click Vault Connections to view all vault connections.

   

4. Click Add New Vault Connection.

5. Enter values in the following fields:

   

   • Name: Type a name for your connection.

   • Type: Choose AWS Secrets Manager.

   • Authentication Mode: Choose Access Key.

   • Region: Choose the vault AWS region.

   • Access Key ID: Enter your AWS access key ID.

   • Secret Access Key: Enter your AWS secret access key.

     For more information on AWS access keys, see Manage access keys for IAM users. For more information on granting permission for AWS Secrets Manager, see Authentication and Access Control for AWS Secrets Manager.

6. Click Save.

AWS Secret Manager Vault Connection Considerations

Database and other secret types are supported for AWS Secrets Manager. For other secret types, use username and password key/value pairs to store your database credentials.

Create an Azure Vault Connection

Prerequisites

Strategy requires a Service Principal with certificate-based authentication for each Azure key vault connection.

To create the service principal:

1. Create the service principal using certificate-based authentication. For more information, see Register a Microsoft Entra App and Create a Service Principal.

2. Use Azure's role-based access control to assign the Key Vault Reader role to the service principal you just created. For more information, see Provide Access to Key Vault Keys, Certificates, and Secrets with Azure Role-based Access Control.

Create an Azure Vault Connection

1. Open the Workstation window.
2. In the Navigation pane, click Data Sources.

3. Click Vault Connections to view all vault connections.

   

4. Click Add New Vault Connection.

   

5. Enter values in the following fields:

   • Name: Type a name for your connection.

   • Type: Choose Azure Key Vault.

   • URL: Enter your Azure environment URL.

   • Authentication Mode: Choose Service Principal with Certificate.

   • Tenant ID: Enter your Azure Directory (tenant) ID.

   • Client ID: Enter your Azure Application (client) ID.

     For more information on Azure tenant and client IDs, see Register an App in Your External Tenant.

   • Client Certificate: Click Select a File, select your certificate file, and click Open.

     Click Remove or Replace to delete or upload a new file.

   • Client Key: Click Select a File, select your certificate file, and click Open.

     Click Remove or Replace to delete or upload a new JSON file.

     For more information on Azure keys, see Azure Keys Documentation.

6. Click Save.

Azure Key Vault Considerations

• The secret that includes the username and password for your database must use the following format: {"username": "my-username", "password": "my-password"}.

• Up to 250 Azure Key Vault secrets per service principal are supported. If you have more than 250 screts, create an additional service principal and certificate-based authentications. For example, service-principal-app-a can be created for the first 250 secrets and service-principal-app-b can be created for an additional 250 secrets.

Create a CyberArk Vault Connection

1. Open the Workstation window.
2. In the Navigation pane, click Data Sources.

3. Click Vault Connections to view all vault connections.

   

4. Click Add New Vault Connection.

5. Enter values in the following fields:

   

   • Name: Type a name for your connection.

   • Type: Choose CyberArk.

   • URL: Enter your CyberArk environment URL.

   • Safe Name: Type the name of the CyberArk safe you want to connect to.

   • Authentication Mode: Choose Mutual TLS.

   • Client Certificate: Click Select a File, select your certificate file, and click Open.

   • Client Key: Click Select a File, select your certificate file, and click Open.

6. Click Save.

   CyberArk Central Credential Provider may utilize caching for improved performance. See CyberArk’s official documentation for more details. If caching is enabled, run the following command to refresh the cache after adding or updating database credentials in CyberArk.

   Copy

   AppPrvMgr.exe RefreshCache 

Create a Google Secret Manager Vault Connection

Prerequisites

Strategy requires a Service Account with Secret Keys for each Google Secret Manager connection.

To create a service account with secret keys for each Google Secret Manager connection:

1. Create a new service account. For more information, see Create Service Accounts.

2. Assign the account with a secret key. For more information, see Create and Delete Service Account Keys.

   Save the Secret Key JSON. You will need it to create your vault connection.

3. Grant the service account a secret manager secret accessor role for the corresponding secrets. For more information, see Grant Access.

Create a Google Secret Manager Vault Connection

1. Open the Workstation window.
2. In the Navigation pane, click Data Sources.

3. Click Vault Connections to view all vault connections.

   

4. Click Add New Vault Connection.

   

5. Enter values in the following fields:

   • Name: Type a name for your connection.

   • Type: Choose Google Secret Manager.

   • Authentication Mode: Choose Service Account Key.

   • Service Account Key: Click Select a File, select your service account credential file, and click Open.

     After you upload the file, click View JSON File to preview the file. Click Remove or Replace to delete or upload a new JSON file.

6. Click Save.

Google Secret Manager Considerations

The secret that includes the username and password for your database must use the following JSON format: {"username": "my-username", "password": "my-password"}.

Create a HashiCorp Vault Connection

Strategy supports reading Key-Value (KV) secret engines (version 1 and 2) and database secret engines with static roles from HashiCorp Vault Community Edition, HashiCorp Cloud Platform Vault Dedicated, or HashiCorp Vault Enterprise. For HashiCorp vault connection considerations, see HashiCorp Vault Connection Considerations.

1. Open the Workstation window.
2. In the Navigation pane, click Data Sources.

3. Click Vault Connections to view all vault connections.

   

4. Click Add New Vault Connection.

5. Enter values in the following fields:

   

   • Name: Type a name for your connection.

   • Type: Choose HashiCorp Vault Community Edition, HashiCorp Cloud Platform Vault Dedicated, or HashiCorp Vault Enterprise.

   • URL: Enter your HashiCorp environment URL.

   • Namespace: Type your HashiCorp namespace. This option is only available for HashiCorp Cloud Platform Vault Dedicated and HashiCorp Vault Enterprise.

     For more information on HashiCorp namespaces, see HCP Vault Dedicated Namespace Considerations.

   • Secret Path: Enter the path where your HashiCorp secrets are stored.

   • Authentication Mode: Choose Mutual TLS.

   • Client Certificate: Click Select a File, select your certificate file, and click Open.

   • Client Key: Click Select a File, select your certificate file, and click Open.

   • CA Certificate: Click Select a File, select your certificate file, and click Open.

     For more information on creating certificates, see Central Credential Provider Web Service Configuration.

6. Click Save.

Create a HashiCorp Cloud Platform Vault Secrets Non-Dedicated Vault Connection

Before you create a HashiCorp Cloud Platform (HCP) Vault Secrets Connection, you must create a service principal key pair and assign it the Vault Secrets App Secret Reader role. For more information, see Retrieve HCP Organization and Project ID.

1. Open the Workstation window.
2. In the Navigation pane, click Data Sources.

3. Click Vault Connections to view all vault connections.

   

4. Click Add New Vault Connection.

5. Enter values in the following fields:

   

   • Name: Type a name for your connection.

   • Type: Choose HashiCorp Cloud Platform Vault Secrets (Non-Dedicated).

   • Organization ID: Enter your HashiCorp organization ID.

   • Project ID: Enter your HashiCorp project ID.

   • Application Name: Type your HashiCorp application name.

   • Authentication Mode: Choose Access Key.

   • Client ID: Enter your HashiCorp client ID.

   • Client Secret: Type your HashiCorp client secret.

6. Click Save.

HashiCorp Vault Connection Considerations

• Strategy only supports static secrets. The secret that includes the username and password must use the following JSON format: {"username": "my-username", "password": "my-password"}.

• The HCP Vault Secrets connection may fail with an error message. This failure is caused by the trust store in the operating system. It does not contain the certificate issued by a Certificate Authority (CA), which you need to connect to the HCP server.

  

  To fix the issue:

  1. Download the CA certificate into a hcp-cacert.pem file using the following command:

     Copy

     echo quit | openssl s_client -connect api.cloud.hashicorp.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > hcp-cacert.pem

  2. Add the certificate to your operating system's trust store.

     If you are using Windows, see Import the Certificate into the Local Computer Store for more information.

     If you are using Linux, see How to Configure Your CA Trust List in Linux for more information.

• TLS certificate authentication is disabled out-of-the-box by HashiCorp for HashiCorp Cloud Platform Vault Dedicated environments. Therefore, ensure you submit a support request and follow TLS Certificate Authentication to enable TLS authentication.

• When using Key-Value (KV) secret engines, ensure the database credential is saved in the username and password keys. See the following example for the sampleKVSecretEngine secret path and sampleSecret secret name where the username and password is saved in the engine keys.

  

• Ensure that the secret name is non-nested for all HashiCorp versions. For example, you can use secretName but not secretName/subpath.

Modify an Existing Vault Connection

1. To edit or delete a vault connection object, right-click it in the grid and choose Edit or Delete.

2. To view general properties, the change journal, or security access for modifying ACLs, right-click a vault connection object and choose Properties.

3. Click OK.

Related Topic

Create, Edit, and Delete Standalone Database Connections and Database Logins