> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Delinea Secret Server

The Delinea Secret Server secret provider connects the Orchestrator to [Delinea Secret Server](https://delinea.com/products/secret-server), a privileged access management (PAM) solution. Delinea Secret Server provides enterprise-grade credential vaulting, privileged session management, and audit-ready compliance reporting for sensitive access.

<Note>
  **Console terminology:** In the Maverics Console, Orchestrator instances and
  configuration delivery are managed through **Deployments**. When working directly
  with YAML, configuration is managed as files delivered via the `-config` flag or
  `MAVERICS_CONFIG` environment variable.
</Note>

## Overview

When configured with the Delinea Secret Server provider, the Orchestrator authenticates to your Delinea Secret Server instance and retrieves privileged credentials as needed. The provider supports the Delinea Secret Server REST API for retrieving secrets. Credentials are fetched at startup and cached for the duration of the Orchestrator process.

## Use Cases

* **Existing Delinea deployments** -- retrieve Orchestrator secrets from an existing Delinea Secret Server without duplicating credentials into another system
* **Organizational compliance** -- satisfy security policies that require all credentials to be sourced from the PAM platform
* **Centralized credential rotation** -- rotate secrets in Delinea and pick up new values on Orchestrator restart or config reload

## Configuration

Secret providers are not configured in YAML. They are set via the `MAVERICS_SECRET_PROVIDER` environment variable or the `-secretProvider` CLI flag.

### Configuration via Environment Variable

```bash theme={null}
export MAVERICS_SECRET_PROVIDER="delinea://server.example.com?username=svc-maverics&password=<password>&folder=Maverics"
```

### Configuration via CLI Flag

```bash theme={null}
maverics -config maverics.yaml -secretProvider "delinea://server.example.com?username=svc-maverics&password=<password>&folder=Maverics"
```

### Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The reference uses the format `secretName.fieldSlug`, where `secretName` is the name of the secret in Delinea and `fieldSlug` is the template field slug:

```yaml theme={null}
connectors:
  - name: my-idp
    oauthClientSecret: <my-secret.password>
```

At startup, the provider authenticates to Delinea and pre-populates all secrets from the specified folder.

## Configuration Reference

### URL Structure

```
delinea://{server-address}?username={username}&password={password}&folder={folder}
```

### URL Parameters

| Parameter      | Required | Description                                                                 |
| -------------- | -------- | --------------------------------------------------------------------------- |
| Server address | Yes      | Hostname of the Delinea Secret Server instance (e.g., `server.example.com`) |
| `username`     | Yes      | Delinea Secret Server username for authentication                           |
| `password`     | Yes      | Delinea Secret Server password for authentication                           |
| `folder`       | Yes      | Folder path in Delinea Secret Server containing the secrets to retrieve     |

### Authentication

The provider authenticates to Delinea Secret Server using the OAuth 2.0 password grant with the provided `username` and `password`.

## Troubleshooting

**"Unauthorized" or authentication errors**
Verify that the Delinea credentials configured on the host are valid and have permission to access the required secrets. Check the Delinea Secret Server audit log for denied requests.

**"Connection refused" when starting the Orchestrator**
Confirm the Delinea Secret Server address is correct and that the Orchestrator host has network access to the Delinea REST API endpoint.

**Secrets not resolving in YAML configuration**
Ensure the angle bracket syntax matches the secret names in Delinea Secret Server. The namespace and key in `<namespace.key>` must correspond to the secret path and field stored in Delinea.

## Related Pages

<CardGroup cols={2}>
  <Card title="Secret Providers" icon="vault" href="/reference/orchestrator/configuration/secret-providers">
    Overview of all secret providers
  </Card>

  <Card title="HashiCorp Vault" icon="vault" href="/reference/orchestrator/configuration/secret-providers/hashicorp-vault">
    External vault for secrets management
  </Card>
</CardGroup>
