Secret Management

Managing secrets for Salem actions

Salem leverages an Azure Key Vault resource to store and access user-provided secrets. This article describes how to configure the Key Vault resource, add secrets, and refrence these secrets in a Salem action definition.

Setting up Key Vault

If you've never added a secret to Salem, you must first ensure your key vault resource is properly configured.

Salem comes preconfigured with a Key Vault resource intended for this purpose. However, you must set up access control to 1) allow Salem resources to read secrets from the Key Vault and 2) enable yourself or those you delegate to add new secrets to the Key Vault.

1) Find your Salem Key Vault in the Azure Portal

The Salem Key Vault can be identified in two ways: 1) the Key Vault resource is located in the Same managed resource group as other Salem resources, 2) you can search for the Key Vault by name (every Salem Key Vault's name begins with "salemvault")

2) Assign IAM roles for the Salem Key Vault

You'll need to make two role assignments in the Key Vault: 1) for the SalemAPI managed identity, and 2) for your user or users you delegate who will add or update secrets in the Vault.

Account (SPN)
IAM Role

SalemAPI Managed Identity (APIappId)

Key Vault Secrets User

Your User or Group

Key Vault Secrets Officer

Salem Managed Identity Key Vault role

Add or Update Secrets

Use the Azure Portal to navigate to your Salem Key Vault resource to add or update secrets that will be referenced in Salem action definitions. The Secret name is arbitrary, but remember what you name the secret so you can

Add secrets to the Salem Key Vault

Reference Secrets in Action Definitions

Salem Action Definitions have a Credentials configuration that references a secret in Key Vault. The secret_name parameter should match the name you gave the secret in Key Vault.

"credentials": {
    "secret_name": "SecretName"
}

OPTIONAL - you can add a "vault_url" parameter with the url of the Key Vault you want Salem to reference, which can be any Key Vault you want to designate, now just the one created with Salem.

Last updated