Maverics Orchestrator can retrieve secrets from the Delinea Secret Server using their REST API. All the secrets must be co-located in a single folder which must be specified in the connection URL.
To load secrets from a Delinea server, set the environment variable MAVERICS_SECRET_PROVIDER
in the file /etc/maverics/maverics.env
.
Use the following pattern:
MAVERICS_SECRET_PROVIDER="delinea://<DELINEA_HOST>?username=yourUser&password=yourPassword&folder=\\some\\folder"
Example with a DELINEA_HOST
of yourAccount.secretservercloud.com
:
MAVERICS_SECRET_PROVIDER="delinea://yourAccount.secretservercloud.com?username=yourUser&password=yourPassword&folder=\\maverics"
To support password or folders with special characters they should be URI encoded, for example using a user with password '()Pass1234&^%"
the connection string would look like:
MAVERICS_SECRET_PROVIDER="delinea://yourAccount.secretservercloud.com?username=yourUser&password=%27%28%29Pass1234%26%5E%25%22&folder=\\maverics"
In maverics.yaml
use the Delinea secret's slug field and its path like <secretName.slug>
, as placeholder for fields you wish to populate from the secret server.
Check the secret's template to find the value of the field's slug. See an example configuration below:
connectors:
- name: azure
type: azure
oidcWellKnownURL: <secretName.wellKnown>
oauthClientID: <secretName.client-id>
oauthClientSecret: <secretName.client-secret>
# ...
Delinea setup for Secret Provider user
The user used to get the secrets needs to have the following permissions:
Access to the folder where the secrets are stored
View Secret
permissionAdminister Secret Templates
permission
For correct setup of the Maverics Secrets Provider user, consider doing the following:
Create
maverics-api-users
groupEdit the folder permissions to allow access from the
maverics-api-users
groupCreate a
maverics-secret-provider
role with the following permissions:View Secret
Administer Secret Templates
Assign the
maverics-secret-provider
role to themaverics-api-users
groupCreate a
maverics-secrets-user
user and assign them to themaverics-api-users
group
Secrets File
Strata strongly recommends using a vault as your secrets provider, even just for evaluation or test instances. The file-based options are provided for convenience only.
To load secrets from a file, set the environment variable MAVERICS_SECRET_PROVIDER
in the file /etc/maverics/maverics.env
, using the following pattern:
MAVERICS_SECRET_PROVIDER=secretfile:////etc/maverics/secrets.yaml
On Windows, the environment variable would use the following pattern:
MAVERICS_SECRET_PROVIDER=C:\Program Files\Strata Identity\Maverics\secrets.yaml
To load secrets from a file using the CLI flag, use the following pattern:
maverics -secretProvider secretfile:////etc/maverics/secrets.yaml
The file contents can be filled with any number of secrets
:
secrets:
oktaAPIToken: aReallyGoodToken
oktaOAuthClientID: aReallyUniqueID
oktaOAuthClientSecret: aReallyGoodSecret
samlSigningCert: |+ # Multi-line values require |+.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
saml-signing-key: |+
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----