Skip to main content
The Delinea Secret Server secret provider connects the Orchestrator to Delinea Secret Server, a privileged access management (PAM) solution. Delinea Secret Server provides enterprise-grade credential vaulting, privileged session management, and audit-ready compliance reporting for sensitive access.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with YAML, configuration is managed as files delivered via the -config flag or MAVERICS_CONFIG environment variable.

Overview

When configured with the Delinea Secret Server provider, the Orchestrator authenticates to your Delinea Secret Server instance and retrieves privileged credentials as needed. The provider supports the Delinea Secret Server REST API for retrieving secrets. Credentials are fetched at startup and cached for the duration of the Orchestrator process.

Use Cases

  • Existing Delinea deployments — retrieve Orchestrator secrets from an existing Delinea Secret Server without duplicating credentials into another system
  • Organizational compliance — satisfy security policies that require all credentials to be sourced from the PAM platform
  • Centralized credential rotation — rotate secrets in Delinea and pick up new values on Orchestrator restart or config reload

Configuration

Secret providers are not configured in YAML. They are set via the MAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.

Configuration via Environment Variable

export MAVERICS_SECRET_PROVIDER="delinea://server.example.com?username=svc-maverics&password=<password>&folder=Maverics"

Configuration via CLI Flag

maverics -config maverics.yaml -secretProvider "delinea://server.example.com?username=svc-maverics&password=<password>&folder=Maverics"

Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The reference uses the format secretName.fieldSlug, where secretName is the name of the secret in Delinea and fieldSlug is the template field slug: 
connectors:
  - name: my-idp
    oauthClientSecret: <my-secret.password>
At startup, the provider authenticates to Delinea and pre-populates all secrets from the specified folder.

Configuration Reference

URL Structure

delinea://{server-address}?username={username}&password={password}&folder={folder}

URL Parameters

ParameterRequiredDescription
Server addressYesHostname of the Delinea Secret Server instance (e.g., server.example.com)
usernameYesDelinea Secret Server username for authentication
passwordYesDelinea Secret Server password for authentication
folderYesFolder path in Delinea Secret Server containing the secrets to retrieve

Authentication

The provider authenticates to Delinea Secret Server using the OAuth 2.0 password grant with the provided username and password.

Troubleshooting

“Unauthorized” or authentication errors Verify that the Delinea credentials configured on the host are valid and have permission to access the required secrets. Check the Delinea Secret Server audit log for denied requests. “Connection refused” when starting the Orchestrator Confirm the Delinea Secret Server address is correct and that the Orchestrator host has network access to the Delinea REST API endpoint. Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the secret names in Delinea Secret Server. The namespace and key in <namespace.key> must correspond to the secret path and field stored in Delinea.

Secret Providers

Overview of all secret providers

HashiCorp Vault

External vault for secrets management