Secret vaults

Secret vaults let monitors fetch their credentials — passwords, API keys, TOTP seeds — from an external secret manager at runtime, so no secret is ever stored in a monitor definition.

Instead of typing a password into a monitor, you reference a secret held in your organisation’s vault. At execution time the probe resolves the reference against the vault and injects the value only for the duration of the run. Rotating the secret in the vault takes effect immediately, with nothing to change on the Mugnsoft side.

Supported vault providers

Provider Description
HashiCorp Vault KV secrets engine over the Vault HTTP API
Azure Key Vault Secrets retrieved via an Azure AD application (tenant/client credentials)
CyberArk Conjur Secrets retrieved via a Conjur host login and API key

Only one provider is active at a time. Vault settings are global: you configure them once on the Webserver, and they are pushed to every enabled probe.

Configure a vault

Vault settings live in the Webserver Settings page (ADMIN only). Pick the provider in the Vault section and fill in the fields for that provider.

| Field | Description | |-------|-------------| | Vault URL | Base URL of the Vault server | | Vault token | Access token used to read secrets | | Secret path | Path of the KV secret to read |
| Field | Description | |-------|-------------| | Key Vault URL | Base URL of the Azure Key Vault | | Tenant ID | Azure AD tenant | | Client ID | Application (client) ID | | Client secret | Application client secret | | Secret name | Name of the secret to read |
| Field | Description | |-------|-------------| | Conjur URL | Base URL of the Conjur server | | Account | Conjur account | | Login | Host / user login | | API key | API key for the login | | Secret | Variable identifier of the secret to read |

Test before you save

Use the test button in the Vault section to validate the settings. Mugnsoft runs the test against every enabled probe and reports success or failure per probe, so you can confirm that each probe can reach the vault before any monitor depends on it.

Reference a secret from a monitor

Once a vault is configured, a monitor field can point at a vault secret instead of holding a literal value. At runtime the probe resolves the reference and injects the secret.

For EUM (browser) scenarios, the resolved values are exposed to the Selenium script as environment variables, keyed by the URL title:

  • VAULT_USERNAME_<urlTitle>
  • VAULT_PASSWORD_<urlTitle>
  • TOTP_SECRET_<urlTitle> (for TOTP / two-factor seeds)

See the EUM Monitor page for how to consume these in a scenario.

Troubleshooting

Symptom Cause Fix
Test reports Failure on a probe Probe cannot reach the vault URL, or credentials are wrong Confirm network path probe → vault and re-check the provider fields
Monitor runs with an empty credential The referenced secret name/path does not resolve Verify the secret exists at the configured path and the token/login can read it
Rotated secret not picked up The vault reference points at the wrong version/path References resolve live on each run — confirm the path, not a cached value

See also

Translations