Secret vaults
Secret vaults let monitors fetch their credentials — passwords, API keys, TOTP seeds — from an external secret manager at runtime, so no secret is ever stored in a monitor definition.
Instead of typing a password into a monitor, you reference a secret held in your organisation’s vault. At execution time the probe resolves the reference against the vault and injects the value only for the duration of the run. Rotating the secret in the vault takes effect immediately, with nothing to change on the Mugnsoft side.
Supported vault providers
| Provider | Description |
|---|---|
| HashiCorp Vault | KV secrets engine over the Vault HTTP API |
| Azure Key Vault | Secrets retrieved via an Azure AD application (tenant/client credentials) |
| CyberArk Conjur | Secrets retrieved via a Conjur host login and API key |
Only one provider is active at a time. Vault settings are global: you configure them once on the Webserver, and they are pushed to every enabled probe.
Configure a vault
Vault settings live in the Webserver Settings page (ADMIN only). Pick the provider in the Vault section and fill in the fields for that provider.
Test before you save
Reference a secret from a monitor
Once a vault is configured, a monitor field can point at a vault secret instead of holding a literal value. At runtime the probe resolves the reference and injects the secret.
For EUM (browser) scenarios, the resolved values are exposed to the Selenium script as environment variables, keyed by the URL title:
VAULT_USERNAME_<urlTitle>VAULT_PASSWORD_<urlTitle>TOTP_SECRET_<urlTitle>(for TOTP / two-factor seeds)
See the EUM Monitor page for how to consume these in a scenario.
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| Test reports Failure on a probe | Probe cannot reach the vault URL, or credentials are wrong | Confirm network path probe → vault and re-check the provider fields |
| Monitor runs with an empty credential | The referenced secret name/path does not resolve | Verify the secret exists at the configured path and the token/login can read it |
| Rotated secret not picked up | The vault reference points at the wrong version/path | References resolve live on each run — confirm the path, not a cached value |
See also
- Webserver settings — where vault settings are configured
- Monitor configuration — the underlying vault fields
- EUM Monitor — how vault values reach browser scenarios at runtime
- Credential configurations — reusable SNMP/WMI credential bundles
- Security model — how secrets are protected in transit and at rest