Securing your secrets with CyberArk: From DevOps tools to SaaS apps and more

Table of Contents

What are secrets?

Simply put, a secret is any piece of sensitive information that can be used as a credential to a software application. This includes passwords, API keys, certificates, and many other forms of credentials we use to access our business critical software applications.

The secret sprawl problem

With the proliferation of SaaS apps, DevOps tools, and databases, the number one thing keeping security engineers awake at night is worrying about how their secrets are managed. Where are their secrets stored? Who has access to them? How are they being used? And are they keeping up with their key rotation compliance guidelines to keep their secrets secure?

For an integration and automation platform like Workato, keeping your secrets secure is just as important as keeping your mission-critical recipes running.

Today, we’re thrilled to announce not one, not two, but three new integrations for our external secrets manager feature; Conjur Enterprise, Conjur Cloud, and Conjur OSS (Open Source Suite) from CyberArk’s Secret Management product suite. This marks the beginning of our partnership with CyberArk as a trusted integration partner. 

Integration with Workato 

How it works 

When you create connections in Workato, be it for a SaaS application or connecting to a database, you must enter in your credentials like a username, password,  and/or API key, directly in the Workato UI. Workato stores the connections, encrypted by a unique, connection-specific key. 

With CyberArk Conjur, instead of hardcoding your sensitive credentials on our platform, you create a host on Conjur that allows Workato to retrieve these secret values. When you create the connection in Workato, instead of supplying the credentials themselves, you supply a reference to the credentials stored in the HashiCorp Vault secrets engine.

This means that Workato can connect to your apps and databases without actually storing your credentials at all.

Connection parameters

When first connecting to your Conjur server, we’ll need your Conjur Server URL, Organization Account Name, Login ID, as well as the Host API Key that was generated by Conjur during Host creation, and that’s it!

And yes, you can create the Conjur connection on your on-prem group if you require a fully self-hosted setup!

Check out our docs for the full guide!

Secret rotation configuration with the clear_cache API

Making use of Conjur’s credential rotation functionality? Set up an additional API call when you’re defining your rotation function to ensure that we retrieve the latest secrets stored across all of your connections. 

Our clear_cache API is designed to clear any stale secrets across your projects and workspace if you’ve configured secrets manager for individual projects. Learn more about configuring secret rotation on Conjur here.

Why we love CyberArk Conjur 

CyberArk’s suite of secret management tools have a wide range of features that cater to your organization’s security needs whether you’re just getting started or looking for a fully self-hosted high availability cluster across different data centers. With that said, here are 3 standout features that we absolutely love about CyberArk Conjur.

1 – Easily assign permissions with policies as code 

On CyberArk, assigning permissions to secrets (variables) for your hosts is as easy as writing in yaml. Human-readability and simplicity goes a long way when you’re managing multiple layers, groups, and hosts with varying levels of access permissions. Here’s an example of how we’ve defined permissions for a host that we’ve created on Conjur for integrating with Workato:

- &variables
  - !variable
    id: sql-password-prod
    kind: password
  - !variable
    id: sql-host-prod
    kind: password
  - !variable
    id: sql-database-prod
    kind: password
  - !variable
    id: airtable-accesstoken-prod
    kind: accesstoken
  - !variable
    id: jwt-token-prod
    kind: password
- !permit
  role: !group /workato-app/workato-secret-users-prod  # layer declared earlier
  privileges: [read, execute]
  resources: *variables

2 – Stay in the loop with a built in audit trail

With Conjur Enterprise and Conjur Cloud, secrets that are accessed by humans / machines are logged. This includes; who retrieved a secret, when it happened, as well as policy changes which is especially important for debugging any permissions changes. 

3 – Avoid outages with high availability and disaster recovery 

When you’ve developed a PoC on Conjur OSS, upgrading to Conjur Enterprise enables you to configure multiple Conjur clusters across different sites that are always in sync to ensure disaster recovery in the event of an outage. Learn more here.


Which tool is right for me?

CyberArk offers a comprehensive set of secret management tools with diverse features designed to meet the security requirements of your organization. Rather than provide a one size fits all recommendation, please reach out to your Workato representative for a tailored assessment of your security needs and requirements. 

What secret managers can I use with Workato?

The Workato external secrets manager currently supports Amazon Web Services Secrets Manager (AWS Secrets Manager), HashiCorp Vault, Azure Key Vault, and now, CyberArk Conjur Cloud, Conjur Enterprise and Conjur Open Source. 

Can I use secrets in Workato via the secrets manager?

Yes absolutely! Workato’s external secrets manager support can retrieve the secret’s value as long as Workato has permission to access it and you’re using the right format. It can be actual secrets like username, password, API tokens. It can also be any other sensitive data that is required to successfully establish a connection to your application.

What happens when the administrator revokes permissions granted on my Conjur host?

Once you remove Workato’s permission to access the secrets, the connection will no longer be valid after the cached secret expires. Jobs may fail as no valid connection exists to execute the step in the recipe.

What happens if I update the credentials in the secrets manager 

Once you update the secrets in the secrets manager, for each connection that uses the secrets, you must disconnect and reconnect to refresh the connection with the new credentials. 

How can I automatically sync changes to credentials in the secrets manager with Workato 

Use the clear_cache API to programmatically clear the secrets cache on Workato for any stale secrets.

Secret values are encrypted before being stored “in-memory” for a period of 60 (sixty) minutes. Plain text values are NEVER stored.

Who can use CyberArk Conjur?  

All customers who are on the Enterprise plan or have the legacy Advanced Security & Compliance add-on.

Was this post useful?

Get the best of Workato straight to your inbox.

Table of Contents