Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Vault Password Storage Scheme provides a mechanism for authenticating users whose passwords are stored in a HashiCorp Vault instance.
This password storage scheme only supports authenticating users and does not allow password changes. Password changes must be made in the Vault instance.
When updating a user account to use this password storage scheme, the password must be provided in pre-encoded form (which will likely require using the password update behavior request control with the allowPreEncodedPassword element set to true). The encoded password should consist of the prefix "{HASHICORP-VAULT}" followed by a JSON object with the following fields:
{HASHICORP-VAULT}{"path":"/v1/secret/secret-name"}
The Vault Password Storage Scheme component inherits from the Password Storage Scheme
The following components have a direct aggregation relation from Vault Password Storage Schemes:
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
description | None |
enabled | |
vault-external-server | |
default-field |
Description | A description for this Password Storage Scheme |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether the Password Storage Scheme is enabled for use. |
Default Value | None |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | An external server definition with information needed to connect and authenticate to the Vault instance containing the passphrase. |
Default Value | None |
Allowed Values | The DN of any Vault External Server. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The default name of the field in JSON objects contained in the AWS Secrets Manager service that contains the password for the target user. The name of the default JSON field in secret objects whose value will be used as the user's password. This will be used if the encoded password does not contain a field named "field". |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes [--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop --scheme-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop --scheme-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Vault Password Storage Scheme:
dsconfig create-password-storage-scheme --scheme-name {name} --type vault --set enabled:{propertyValue} --set vault-external-server:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Password Storage Scheme:
dsconfig delete-password-storage-scheme --scheme-name {name}