12. Secret Management System

Users and admins upload machine and cloud credentials to Tower so that it can access machines and external services on their behalf. By default, sensitive credential values (such as SSH passwords, SSH private keys, API tokens for cloud services) in Tower are stored in the database after being encrypted. With external credentials backed by credential plugins, you can map credential fields (like a password or an SSH Private key) to values stored in a secret management system instead of providing them to Tower directly. Ansible Tower provides a secret management system that include integrations for:

  • CyberArk Application Identity Manager (AIM)

  • CyberArk Conjur

  • HashiCorp Vault Key-Value Store (KV)

  • HashiCorp Vault SSH Secrets Engine

  • Microsoft Azure Key Management System (KMS)

These external secret values will be fetched prior to running a playbook that needs them. For more information on specifying these credentials in the Tower User Interface, see Credentials.