Delinea Secret Server

Prev Next

Maverics Orchestrator can retrieve secrets from the Delinea Secret Server using their REST API. All the secrets must be co-located in a single folder which must be specified in the connection URL.

To load secrets from a Delinea server, set the environment variable MAVERICS_SECRET_PROVIDER in the file /etc/maverics/maverics.env.

Use the following pattern:

MAVERICS_SECRET_PROVIDER="delinea://<DELINEA_HOST>?username=yourUser&password=yourPassword&folder=\\some\\folder"

Example with a DELINEA_HOST of yourAccount.secretservercloud.com:

MAVERICS_SECRET_PROVIDER="delinea://yourAccount.secretservercloud.com?username=yourUser&password=yourPassword&folder=\\maverics"

To support password or folders with special characters they should be URI encoded, for example using a user with password '()Pass1234&^%" the connection string would look like:

MAVERICS_SECRET_PROVIDER="delinea://yourAccount.secretservercloud.com?username=yourUser&password=%27%28%29Pass1234%26%5E%25%22&folder=\\maverics"

In maverics.yaml use the Delinea secret's slug field and its path like <secretName.slug>, as placeholder for fields you wish to populate from the secret server.
Check the secret's template to find the value of the field's slug. See an example configuration below:

connectors:
   - name: azure
     type: azure
     oidcWellKnownURL: <secretName.wellKnown>
     oauthClientID: <secretName.client-id>
     oauthClientSecret: <secretName.client-secret>
     # ...

Delinea setup for Secret Provider user

The user used to get the secrets needs to have the following permissions:

  • Access to the folder where the secrets are stored

  • View Secret permission

  • Administer Secret Templates permission

For correct setup of the Maverics Secrets Provider user, consider doing the following:

  • Create maverics-api-users group

  • Edit the folder permissions to allow access from the maverics-api-users group

  • Create a maverics-secret-provider role with the following permissions:

    • View Secret

    • Administer Secret Templates

  • Assign the maverics-secret-provider role to the  maverics-api-users group

  • Create a maverics-secrets-user user and assign them to the maverics-api-users group

Secrets File

Strata strongly recommends using a vault as your secrets provider, even just for evaluation or test instances. The file-based options are provided for convenience only.

To load secrets from a file, set the environment variable MAVERICS_SECRET_PROVIDER in the file /etc/maverics/maverics.env, using the following pattern:

MAVERICS_SECRET_PROVIDER=secretfile:////etc/maverics/secrets.yaml

On Windows, the environment variable would use the following pattern:

MAVERICS_SECRET_PROVIDER=C:\Program Files\Strata Identity\Maverics\secrets.yaml

To load secrets from a file using the CLI flag, use the following pattern:

maverics -secretProvider secretfile:////etc/maverics/secrets.yaml

The file contents can be filled with any number of secrets:

secrets:
  oktaAPIToken: aReallyGoodToken
  oktaOAuthClientID: aReallyUniqueID
  oktaOAuthClientSecret: aReallyGoodSecret
  samlSigningCert: |+ # Multi-line values require |+.
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  saml-signing-key: |+
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----