Torq's integration with external key management services, or secret stores, enables your organization to utilize secrets (like API keys and passwords) in third-party vendor integrations without storing this sensitive information within Torq itself. This approach ensures that your company retains full management over secret data, supporting best practices like secret rotation and revocation in line with your security policies.
Supported External Secret Stores
Currently, Torq supports integration with the following secret management services:
HashiCorp Vault
AWS SSM Parameter Store
Azure Key Vault
If your organization utilizes a different secret management service, please contact your support representative to explore potential integration options.
Setting Up External Secret Store Integration
Access Secret Management: Navigate to Integrations > Secret Management in Torq. Select the secret store you wish to integrate with and click Add. Existing integrations can be edited via the integration instances list by clicking the three-dot menu and selecting Edit.
2. Integration Setup:
Assign a meaningful name to the integration and fill out the required fields. Ensure you've completed the next step before finalizing the integration setup.
Mark Use this integration as a secret store for my account checkbox and click Add.
For AWS integrations, ensure the AWS role has GetParameter permission.
Connect Third-Party Vendor Integrations with a Secret Store:
Return to the Integrations page and pick a third-party vendor to connect via Torq.
Fill in the necessary integration information. Use the dropdown next to each field to choose if the value should come from an external secret store or be stored in Torq's local secret/parameter store.
Provide the path to each secret value and Click Add to create the third-party vendor integration.
For each supported secret store, the method to provide the path to the secret value differs slightly:
HashiCorp Vault: Provide the complete path (engine path + secret path) and the secret key.
AWS SSM Parameter Store: Specify the region and the parameter name in the format
<region>/<parameter name>.Azure Key Vault: Provide the name of the secret as listed in Azure Key Vault.
Use a Secret Value Stored in HashiCorp Vault
To use a secret value from HashiCorp Vault in Torq, you must provide the complete path (engine path+secret path) and the secret key.
In HashiCorp Vault, go to Secrets to view the paths of the secret engines.
For example, for the secret below, usesecret/test/webapp/api_keyto get the secret value in Torq.
Use the secret value in integration fields that require sensitive information.
Use a Secret Value Stored in AWS SSM Parameter Store
To use a secret value from AWS SSM Parameter Store in Torq, provide the region and the parameter name: /
For example, for the parameter
/A/Abelow, useus-east-1/A/Ato get the secret value in Torq.
Use the secret value in integration fields that require sensitive information.
Use a Secret Value Stored in Azure Key Vault
To use a secret value from Azure Key Vault in Torq, provide the secret's name as listed in Azure Key Vault.
In Azure Key Vault, go to Secrets to view the names of the available secrets. For example, for the secret below, use
my-secretto get the secret value in Torq.
