Vault Credentials Overview
Vault Credentials Overview
Section titled “Vault Credentials Overview”Key Vault Credentials enables rConfig V8 to retrieve device authentication credentials dynamically from enterprise secret management platforms during connection and configuration operations. Instead of storing credentials directly in rConfig, devices retrieve secrets on-demand from centralized vault systems, enhancing security and simplifying credential rotation.
This integration allows organizations to maintain a single source of truth for network device credentials, enforce centralized access policies, and ensure audit compliance through their existing secret management infrastructure.
Supported Key Vault Providers
Section titled “Supported Key Vault Providers”rConfig V8 has been tested and verified with the following Key Vault providers:
| Provider | rConfig V8 Support | Documentation |
|---|---|---|
| HashiCorp Vault | ✓ Verified | HashiCorp Vault Setup |
| Delinea Secret Server (Thycotic) | ⏳ Pending | Testing awaiting vendor trial access |
| CyberArk | ⏳ Pending | Testing awaiting vendor trial access |
How Key Vault Integration Works
Section titled “How Key Vault Integration Works”When a device is configured to use Key Vault credentials, the authentication flow operates as follows:
- Connection initiated: rConfig prepares to connect to a network device for configuration retrieval or snippet execution
- Credential lookup: rConfig queries the configured Key Vault using the device’s vault credential mapping
- Secret retrieval: Key Vault authenticates rConfig’s request and returns the device credentials
- Device authentication: rConfig uses the retrieved credentials to authenticate to the network device
- Operation execution: Configuration download or snippet execution proceeds with vault-sourced credentials
- Credential disposal: Retrieved credentials are discarded after the operation completes (not cached in rConfig)
This just-in-time credential retrieval ensures that rConfig never stores long-term device passwords while maintaining seamless automated operations.
Key Benefits
Section titled “Key Benefits”Centralized credential management: Maintain all network device credentials in a single enterprise vault system rather than distributed across multiple management platforms.
Enhanced security posture: Credentials are never stored at rest in rConfig, reducing exposure risk and simplifying security audits.
Simplified credential rotation: Update credentials in the vault system without requiring changes in rConfig device configurations.
Audit and compliance: Leverage vault system audit logs to track when and how credentials are accessed for network device operations.
Separation of duties: Security teams maintain control over credential storage and access policies while network teams manage device configurations.
Multi-tenancy support: Different device groups can retrieve credentials from different vault paths or namespaces based on organizational structure.
Credential Types in rConfig V8
Section titled “Credential Types in rConfig V8”rConfig V8 supports three credential storage methods that can be mixed and matched across your device inventory:
Local Credentials
Section titled “Local Credentials”Credentials stored directly in rConfig’s database, encrypted at rest. Best for:
- Small deployments
- Test/lab environments
- Devices with unique, non-sensitive credentials
Device Credentials
Section titled “Device Credentials”Centralized credentials stored in rConfig’s database and reused across multiple devices. Best for:
- Shared credential sets across device groups
- Simplified credential management without external vault systems
- Medium-sized deployments
Key Vault Credentials
Section titled “Key Vault Credentials”Credentials dynamically retrieved from enterprise vault systems. Best for:
- Enterprise deployments with existing secret management infrastructure
- High-security requirements with zero-trust principles
- Organizations with strict compliance and audit requirements
- Environments with frequent credential rotation policies
You can use different credential types for different devices based on security requirements, operational needs, and organizational policies.
Prerequisites
Section titled “Prerequisites”Before implementing Key Vault integration, ensure you have:
- Administrator access to rConfig V8
- Administrator access to your Key Vault system
- Understanding of your organization’s credential storage and access policies
- Key Vault system configured with appropriate authentication methods
- Network connectivity between rConfig server and Key Vault API endpoints
- Appropriate secrets stored in the vault system with correct paths and structures
Getting Started
Section titled “Getting Started”Select your Key Vault provider from the table above and follow the detailed implementation guide for step-by-step configuration instructions. Each guide provides:
- Vault-specific authentication configuration
- Secret path and structure requirements
- rConfig connection profile setup
- Device credential mapping procedures
- Troubleshooting guidance
Currently, only HashiCorp Vault integration is available. Additional providers will be added as testing is completed.
Credential Retrieval Process
Section titled “Credential Retrieval Process”When configuring a device to use Key Vault credentials:
- Configure vault connection: Set up the Key Vault connection profile in rConfig with authentication details
- Map device to vault path: Associate each device with the specific vault path containing its credentials
- Define credential attributes: Specify which vault keys correspond to username, password, and enable password
- Test retrieval: Verify rConfig can successfully retrieve and use credentials from the vault
- Deploy to production: Apply vault credential configuration to device groups or individual devices
Security Considerations
Section titled “Security Considerations”Authentication methods: Use the most secure authentication method supported by your vault system (AppRole, Token, Certificate-based).
Network security: Ensure communications between rConfig and the vault system use TLS encryption and occur over trusted networks.
Access policies: Configure vault access policies following the principle of least privilege—grant rConfig only the permissions necessary to read device credentials.
Credential caching: rConfig does not cache vault-retrieved credentials. Each device operation retrieves fresh credentials from the vault.
Audit logging: Enable comprehensive audit logging in both rConfig and your vault system to track credential access patterns.
Related Documentation
Section titled “Related Documentation”- HashiCorp Vault Setup - Configure HashiCorp Vault integration
- Device Credentials - Understanding credential management in rConfig
- Connection Profiles - Configuring device connection settings
- Security Best Practices - Securing your rConfig deployment