UIPath and HashiCorp Vault

This_is_my_best · January 24, 2020, 8:05am

Hello,

I wanted to know if an integration between UIPath and HashiCorp Vault is in your backlog?

Thanks,

jtjemmes · January 29, 2020, 10:38am

I’m interesting in knowing that as well?!

pmala · February 6, 2020, 8:34am

Any update about this? My company is really interested in that too!

yuliy.litvak · April 10, 2020, 5:01am

We are deploying the same integration - is there any update on the progress of integration with HashiCorp Vault ?

sonnymeyer · December 1, 2020, 10:19am

Sorry to tag you @loginerror, but perhaps you can help answer the question? I know this is a while ago, however to keep the thread updated for new visitors.

loginerror · December 8, 2020, 12:43pm

Hi @sonnymeyer

This is something our team is considering for future releases. Feel free to contact our technical support, as there might be a way to implement it:

But just to be clear - is your question about on-premise or cloud Orchestrator?

MarkFormulated · February 9, 2021, 10:33pm

We’re considering building this as a custom activity. I’d love to get some feedback from people using Vault today and how they’re using it currently. Email me at mark@formulatedautomation.com.

I’ll update this thread if we release an activity.

MarkFormulated · February 11, 2021, 7:21pm

We ended up using the Vault HTTP API for most of this versus jumping into writing a custom activity. You can see a demo of it here - StupidRobotTricks/README.md at main · FormulatedAutomation/StupidRobotTricks · GitHub

Happy for any feedback on this solution.

Regards,
Mark

loginerror · February 12, 2021, 8:56am

Hi @MarkFormulated

If you feel like it, feel free to create a new topic in our #news:faq category with enough context on the method (it is fine linking to the GitHub page, but some extra context within the topic itself would be nice so that our users know what to expect when they click the link).

That category has a higher search priority precisely for nice tutorials like the one here

CosminV · February 16, 2021, 11:01am

I have been working on a Hashicorp Vault credential store plugin that you can find in this PR: Hashicorp Vault Plugin by cosminvlad · Pull Request #9 · UiPath/Orchestrator-CredentialStorePlugins · GitHub
Maybe you want to give that a spin and give me some feedback.

BB-8 · April 5, 2021, 5:24pm

Hi George,

Thanks for the work you’ve done on this plugin! I have been trying to get your plugin to work in the context of my organization and do have some feedback:

I was hoping this plugin would work more similarly to how the CyberArk plugin works. I.e. that Orchestrator’s access to the Hashicorp Vault would be read-only, and that an “External Name” field (rather than the Orchestrator asset name) would be what connected the credential in Orchestrator to the credential in Hashicorp.

Having the credential linked by Orchestrator-asset-name to Hashicorp-credential-key is problematic, particularly when I am trying to deal with credentials that have user-/bot-specific values rather than a single Global Value. (See screenshot below for what I am talking about in Orchestrator.) I tested the functionality with these user-specific credentials, and it appears that adding user-specific credentials on the Orchestrator end simply rewrites/overwrites the value of a single credential on the Hashicorp end. If this were read-only and we could link by “External Name” here, we should be able to link a single Orchestrator asset to multiple user-specific credentials in Hashicorp.

I did notice that there is a HashicorpVaultReadOnlySecureStore.cs file in your Git repo for this plugin. Is it possible that the functionality I’ve described above is already available if I adjust certain settings and/or build the project differently in Visual Studio? I am not particularly familiar with Visual Studio or the mechanics behind building/compiling projects. Let me know if there’s something I can do to alter the plugin’s behavior to make it (A) read-only and (B) utilize an “External Name” link rather than simply asset name.

Regards,

Riley

CosminV · April 8, 2021, 6:43am

I just created a release: Release SecureStore.HashicorpVault 1.0.0 · UiPath/Orchestrator-CredentialStorePlugins · GitHub
This release, when installed, should give you two credential stores in the dropdown: “Hashicorp Vault” (read-write, like Azure Key Vault) and “Hashicorp Vault - Read Only” (read-only, like CyberArk).

BB-8 · April 16, 2021, 6:24pm

@CosminV , thanks so much for your help with this plugin. I’m happy to report that the most-recent version of the plugin (v1.0.2: Release SecureStore.HashicorpVault 1.0.2 · UiPath/Orchestrator-CredentialStorePlugins · GitHub) gives us the read-only functionality we were anticipating/hoping for. (This read-only functionality also resolves the “bot-specific credentials” issue I mentioned in my earlier post.)

Really appreciate your follow-up and help with this!

BB-8 · April 18, 2021, 5:13pm

Per all of the testing my organization has done so far, the version of the plugin I mention above appears to be working well.

jeremiah.s.kmc · May 2, 2021, 9:28pm

Is this something that might be added to Automation Cloud? My organization is interested in using HashiCorp, but we’re on Automation Cloud. Ideally having it show up as a credential store, just like Azure Keyvault and CyberArk.

CosminV · May 7, 2021, 6:41am

It is not planned at this time. CC @Ovidiu_Constantin

hicham_dbiza · September 28, 2021, 6:26pm

Hello everyone,
I hope you’re doing fine.

We have been using Vault Plugin made by CosminV. Everything were fine at Testing Stage.

Lately, we have faced a small problem when we deployed the plugin in production environment.
When The Trigger starts the Job, it fails directly with the following error “The user name or password is incorrect. (Exception from HRESULT: 0x8007052E)”.

When Checking at Vault server side. There weren’t any trace of the request call by UiPath for the faulted Triggers. We were able to see only the request call of the working Triggers.

The funny thing is that for the same robot, a secondary Trigger works just fine… It seems that UiPath doesn’t like to call Vault for the first time in the morning.

I’ll post my questions here hoping that we can solve this issue :
1- Have anyone of you faced the same issue ?
2- It is almost impossible to solve this issue without checking what it does in background. So can you please tell us how to add event logs to the vault plugin ?

Two Tickets have been created for this issue (01125212 AND 01151312).
Best Regards,
Hicham

CosminV · October 8, 2021, 9:56am

Could be an issue with an expired token that is not properly refreshed after it expires.

Are the tickets opened with UiPath support? They will probably not be able to help, as the plugin is not supported by UiPath. Could you open an issue here instead? Issues · UiPath/Orchestrator-CredentialStorePlugins · GitHub

Also please include as much detail as possible in the issue, including:

what configuration you are using for the credential store (authentication method, whether you use namespaces, etc.)
how is the auth configured in Vault
the Vault logs (anonymized is fine)
any relevant exceptions from the Orchestrator server’s event viewer, from around the time the robot fails to get credentials

Please keep in mind that your issue will be public, so take the time to anonymize any data you find sensitive (tokens, urls, etc.)

hicham_dbiza · December 12, 2021, 7:30pm

Hello Everyone,
We found out that my previously explained issue has nothing to do with the plugin itself. Here is the details :

When we updated our 18.4.4 environment to 20.10.10 version, I created all our 300 users (with unattended robots activated) on UiPath Orchestrator using the UiPath odata API (user EndPoint - POST).

I was able to create all 300 users in less than 10 minutes. But I discovered lately that UiPath makes 4 calls when a human creates a user manually :
1- UserNotificationSubscription Creation
2- User Creation
3- Robot Creation (if unattended/attended robot activated)
4- Robot Session Creation (if unattended/attended robot activated)

Doing the API thing have created only the user and robot parts for the 300 users (but it did not create the session and UserNotification parts).

I resolved the issue by recreating manually all 300 users. now everything works fine.

Please note also that we faced another issue with asset credentials (only assets with robot values). Here is the details to avoid wasting time on the issue if faced :

Sometimes, we create assets before creating their external keys on hashicorp. when doing that there is no way that asset get call would work even if you create the external key after.
We discovered that UiPath makes validation calls ( 3 calls for each external key) to Hashicorp right after clicking on the Create/Update Button. this validation is not seen by the user even if failed.

When creating the external keys on hashicorp vault, it is mandatory to update the asset. Just click the asset update button to make sure everything works fine. a good practice is to create first the external key and then the asset.

So in conclusion :
→ Make sure that the Hashicorp store is configured and works fine before creating anything related to that store on orchestrator.
→ Use UiPath API EndPoints with caution.
→ Make sure that Assets credential keys are created on hashicorp vault before creating them in orchestrator.

Best Regards,
Hicham

Topic		Replies	Views
Cloud platform Automation Cloud orchestrator , bug , completed	4	1357	November 27, 2020
“Centrify” integration as credential vault with UiPath Help orchestrator , question	3	871	January 20, 2021
Key vault error response: Orchestrator	1	1006	October 5, 2020
Lastpass integration with UiPath Technology Integrations orchestrator , activities , studio , integrations	8	1763	July 26, 2022
Does UiPath Support Azure Key Vault? Help	8	2570	April 21, 2019

Most Active Users - Yesterday
Anil_G
ashokkarale
Yoichi
dutta.marina
CHEN-CC
sharazkm32
A_Learner
adi.mehare
SorenB
takehiro.ichikura
More details...

UIPath and HashiCorp Vault

Related topics