Skip to main content
All CollectionsBuild AutomationsIntegrations
Integrate External Secret Stores with Torq for Enhanced Security
Integrate External Secret Stores with Torq for Enhanced Security

Integrate Torq with your key management service to manage secrets for third-party vendor integrations securely and independently.

Updated over 3 months ago

Torq's integration with external key management services, or secret stores, enables your organization to utilize secrets (like API keys and passwords) in third-party vendor integrations without storing this sensitive information within Torq itself. This approach ensures that your company retains full management over secret data, supporting best practices like secret rotation and revocation in line with your security policies.

Supported External Secret Stores

Currently, Torq supports integration with the following secret management services:

  • HashiCorp Vault

  • AWS SSM Parameter Store

  • Azure Key Vault

If your organization utilizes a different secret management service, please contact your support representative to explore potential integration options.

Setting Up External Secret Store Integration

  1. Access Secret Management: Navigate to Integrations > Secret Management in Torq. Select the secret store you wish to integrate with and click Add. Existing integrations can be edited via the integration instances list by clicking the three-dot menu and selecting Edit.

secret management services

2. Integration Setup:

  1. Assign a meaningful name to the integration and fill out the required fields. Ensure you've completed the next step before finalizing the integration setup.

  2. Mark Use this integration as a secret store for my account checkbox and click Add.

For AWS integrations, ensure the AWS role has GetParameter permission.

use integration as secret store checkbox

Connect Third-Party Vendor Integrations with a Secret Store:

  1. Return to the Integrations page and pick a third-party vendor to connect via Torq.

  2. Fill in the necessary integration information. Use the dropdown next to each field to choose if the value should come from an external secret store or be stored in Torq's local secret/parameter store.

  3. Get secrets from the external secret management solution or from the Torq secret store

  4. Provide the path to each secret value and Click Add to create the third-party vendor integration.

For each supported secret store, the method to provide the path to the secret value differs slightly:

  • HashiCorp Vault: Provide the complete path (engine path + secret path) and the secret key.

  • AWS SSM Parameter Store: Specify the region and the parameter name in the format <region>/<parameter name>.

  • Azure Key Vault: Provide the name of the secret as listed in Azure Key Vault.

Use a Secret Value Stored in HashiCorp Vault

To use a secret value from HashiCorp Vault in Torq, you must provide the complete path (engine path+secret path) and the secret key.

  • In HashiCorp Vault, go to Secrets to view the paths of the secret engines.

    HashiCorp Vault secret engine paths


    For example, for the secret below, use secret/test/webapp/api_key to get the secret value in Torq.

    Secret path and key HashiCorp Vault
  • Use the secret value in integration fields that require sensitive information.

    Use a secret value stored in HC vault

Use a Secret Value Stored in AWS SSM Parameter Store

To use a secret value from AWS SSM Parameter Store in Torq, provide the region and the parameter name: /

  • For example, for the parameter /A/A below, use us-east-1/A/A to get the secret value in Torq.

get the AWS SSM region

Use the secret value in integration fields that require sensitive information.

Use a secret value stored in AWS SSM

Use a Secret Value Stored in Azure Key Vault

To use a secret value from Azure Key Vault in Torq, provide the secret's name as listed in Azure Key Vault.

  • In Azure Key Vault, go to Secrets to view the names of the available secrets. For example, for the secret below, use my-secret to get the secret value in Torq.

Go to Secrets in Azure Key Vault to get the name of the secret
Did this answer your question?