Locally managed mode credential providers
To access monitored entity data, such as databases, you must provide credentials for the locally managed SWO agent. You can do this in several ways. The following is a list of supported providers:
For environmental variable and file-based credential providers, setting up the credentials_config.yaml is not required. However, this file is mandatory for configuring access in the case of third-party credential providers. Refer to the correct name and storage locations for this file:
-
Linux: /
opt/solarwinds/uamsclient/var/credentials_config.yaml -
Windows:
C:\ProgramData\SolarWinds\UAMSClient\credentials_config.yaml -
Docker: Use the environment variable
UAMS_CREDENTIALS_CONFIGURATION_FILE_PATHto specify the path for the Docker credentials configuration file.
Do not place the credentials directly in the local_config.yaml file.
Environmental variables
Your integrations can consume credentials stored in environmental variables. To use environmental variables as credentials for accessing monitored entities, add the credentials as environmental variables on the target host. Then, include them in the local_config.yaml file:
integrations:
dbo/mysql:
- name: mysql-local-conf-off-host
host: 10.0.2.2
port: 3306
user: root
disable-sampling: true
password-env-var:
value-from:
provider: env
key: env_var_nameFiles hosted on the target host
To use credentials stored in a <your_credentials_file_name>.yaml file, specify your file path using the path: field as shown below.
integrations:
dbo/mysql:
- name: mysql-local-conf-off-host
host: 10.0.2.2
port: 3306
user: root
disable-sampling: true
password-file:
value-from:
provider: file
path: /path/to/your/file # required
key: credential-oneThe <your_credentials_file_name>.yaml file should be a key-value YAML file.
credential-one: my-secret
# credential-two: my-secret-two
# credential-three: my-secret-three
# credential-four: my-secret-four
# ...Hashicorp Vault
The configuration parameters for integrating with Hashicorp Vault, to be used in the credentials_config.yaml file are as follows:
| Parameter | Allowed values | Description |
|---|---|---|
|
|
|
The type of authentication. |
|
|
<URL> |
Address of the Hashicorp Vault server. |
|
|
<Token> |
The token used for Hashicorp Vault |
The configuration parameters needed to access credentials stored in Hashicorp Vault, to be used in the local_config.yaml file:
| Parameter | Allowed values | Description |
|---|---|---|
|
secret |
<Secret_Id> |
Name of the secrete stored in Hashicorp Vault |
|
key |
<Secret_Key> |
Key to the secrete stored in Hashicorp Vault |
To use credentials stored in Hashicorp Vault, perform the following steps:
-
Create a
credentials_config.yamlfile to connect the SolarWinds Observability Agent and Hashicorp Vault with the following configuration parameters:credentials: hashicorp-vault: address: http://127.0.0.1 auth: type: token token: <Token> -
Reference Hashicorp Vault as the credential source in the
local_config.yamlfile by adding thevalue-fromsection and setprovidertohashicorp-vault.
When referencing a credential, specify the secret and key fields:
integrations:
dbo/mysql:
- name: mysql-local-conf-off-host
host: 10.0.2.2
port: 3306
user: root
disable-sampling: true
password:
value-from:
provider: hashicorp-vault
secret: secret-id
key: key-idIf you prefer not to include the token in the credentials_config.yaml file, set it securely in the environmental variables:
credentials:
hashicorp-vault:
address: http://127.0.0.1
auth:
type: token
token:
value-from:
provider: env
key: HASHICORP_VAULT_TOKEN_1 # Do not use the VAULT_TOKEN environment variableAlternatively, you can also configure the system using the native Hashicorp vault VAULT_TOKEN environmental variables without setting up the auth block.
credentials:
hashicorp-vault:
address: http://127.0.0.1AWS Secrets Manager
The configuration parameters for integrating with AWS Secrets Manager, to be used in the credentials_config.yaml file are as follows:
| Parameter | Allowed values | Description |
|---|---|---|
|
type |
[static/files] |
The type of authentication. |
|
access-key-id |
<Access_Key_ID> |
The access key ID for the AWS Secrets Manager API. |
|
secret-access-key |
<Secret_Access_Key> |
The secret access key for the AWS Secrets Manager API. |
|
session-token |
<URL> |
Session token used for AWS Secrets Manager |
|
region |
<User_Agent_String> |
AWS Secrets Manager region |
The configuration parameters needed to access credentials stored in AWS Secrets Manager, to be used in the local_config.yaml file:
| Parameter | Allowed values | Description |
|---|---|---|
|
secret-name |
<Secret_Name> |
Name of the secrete stored in AWS Secrets Manager |
|
secret-key |
<Secret_Key> |
Key to the secrete stored in AWS Secrets Manager |
To use credentials stored in AWS Secrets Manager, perform the following steps:
-
Create a
credentials_config.yamlfile to connect the SolarWinds Observability Agent and AWS Secrets Manager with the following configuration parameters:credentials: aws-secrets-manager: auth: type: static access-key-id: <your_access_key_id> secret-access-key: <your_secret_access_key> session-token: <your_session_token> # this field is optional region: us-east-1 -
ReferenceAWS Secrets Manager as the credential source in the
local_config.yamlfile by adding thevalue-fromsection and setprovidertoaws-secrets-manager. There are two possible credential formats:-
For
key-valueformat, specify both thesecret-nameandsecret-keyin the credential reference:integrations: otel/elasticsearch: - name: test-elasticsearch status-url: http://localhost:9200 collection-interval: 5s password: value-from: provider: aws-secrets-manager secret-name: secret-id secret-key: key-id -
For plain text format, specify only the
secret-namein the credential reference:integrations: otel/elasticsearch: - name: test-elasticsearch status-url: http://localhost:9200 collection-interval: 5s password: value-from: provider: aws-secrets-manager secret-name: secret-id
-
If you prefer not to include the access-key-id, secret-access-key, and session-token in the credentials_config.yaml file, set them securely in the environmental variables:
credentials: aws-secrets-manager: auth: type: static access-key-id: value-from: provider: env key: AWS_ACCESS_KEY_ID secret-access-key: value-from: provider: env key: AWS_SECRET_ACCESS_KEY session-token: value-from: provider: env key: AWS_SESSION_TOKEN region: us-east-1
Akeyless as shared config and credential files
The configuration parameters for integrating with Akeyless, to be used in the credentials_config.yaml file are as follows:
| Parameter | Allowed values | Description |
|---|---|---|
|
|
|
The type of authentication |
|
|
<Access_ID> |
The access ID for the Akeyless API. |
|
|
<Access_Key> |
The access key for the Akeyless API. |
|
|
<URL> |
[Optional]: The host of the Akeyless server. You can point to your gateway by changing this value. Defaults to https://api.akeyless.io. |
|
|
<User_Agent_String> |
[Optional]: The user agent string to use when making requests. |
|
|
<Scheme> |
[Optional]: The scheme to use for the requests (e.g., https). |
|
|
<Header> |
[Optional]: A map of default headers to include in requests. |
The configuration parameters needed to access credentials stored in Akeyless, to be used in the local_config.yaml file are as follows:
| Parameter | Allowed values | Description |
|---|---|---|
|
|
<Secret_Name> |
Name of the secret stored in Akeyless |
|
|
<Secret_Key> |
Key to the secret stored in Akeyless |
To use credentials stored in Akeyless, perform the following steps:
-
Create a
credentials_config.yamlfile to connect the SolarWinds Observability Agent and Akeyless with the following configuration parameters:credentials: akeyless: auth: type: api-key access-id: your-access-id access-key: your-access-key -
Reference Akeyless as the credential source in the
local_config.yamlfile by adding thevalue-fromsection and setprovidertoakeyless. There are two possible credential formats:-
For
key-valueformat, specify both thesecret-nameandsecret-keyin the credential reference:integrations: otel/elasticsearch: - name: test-elasticsearch status-url: http://localhost:9200 collection-interval: 5s password: value-from: provider: akeyless secret-name: your-secret-name secret-key: your-secret-key -
For plain text format, specify only the
secret-namein the credential reference:integrations: otel/elasticsearch: - name: test-elasticsearch status-url: http://localhost:9200 collection-interval: 5s password: value-from: provider: akeyless secret-name: your-secret-name
-
If you prefer not to include the access-id or access-key in the credentials_config.yaml file, set them securely in the environmental variables:
credentials: akeyless: auth: type: api-key access-id: value-from: provider: env key: AKEYLESS_ACCESS_ID access-key: value-from: provider: env key: AKEYLESS_ACCESS_KEY
Infisical
The configuration parameters for integrating with Infisical, to be used in the credentials_config.yaml file are as follows:
| Parameter | Allowed values | Description |
|---|---|---|
|
type |
universal |
The type of authentication.
|
|
client-id |
<Identity_ID> |
Identity ID for the Infisical API |
|
client-secret |
<API_Token> |
Secret for the Identity in the Infisical API |
|
project-id |
<UUID> |
Project ID for the Infisical API |
|
site-url |
<URL> |
[Optional] Site URL of the Infisical server. Default: https://api.infisical.io |
|
cache-expiry |
Value |
[Optional] Cache expiry time in seconds. Default: 0 (no caching). |
|
user-agent |
<Header> |
[Optional] User-Agent header for SDK requests. Default: infisical-go-sdk |
The configuration parameters needed to access credentials stored in Hashicorp Vault, to be used in the local_config.yaml file:
| Parameter | Allowed values | Description |
|---|---|---|
|
secret-key |
<Secret_Key> |
Key to the secrete stored n Infisical |
|
secret-path |
<Path> |
Path to credentials stored in Infisical. Default value: “/” |
|
environment |
<Environment> |
Environment where credentials are stored in Infisical |
To use credentials stored in Infisical, perform the following steps:
-
Create a
credentials_config.yamlfile to connect the SolarWinds Observability Agent and Infisical with the following configuration parameters:credentials: infisical: auth: type: universal client-id: "your-client-id" client-secret: "your-secret" project-id: "your-project-id-written" site-url: "http://192.168.10.20" cache-expiry: 40 -
Reference Infisical as the credential source in the
local_config.yamlfile by adding thevalue-fromsection and setprovidertoinfisical.
When referencing a credential, specify the secret-key, secret-path, and environment fields. You can omit the secret-path, as it defaults to "/".
integrations:
dbo/mysql:
- name: mysql-local-conf-off-host
host: 10.0.2.2
port: 3306
user: root
disable-sampling: true
password:
value-from:
provider: infisical
secret-key: "your-secret-key"
secret-path: "/"
environment: "dev"If you prefer not to include the client-id or client-secret in the credentials_config.yaml file, set them securely through environment variables:
credentials: infisical: auth: type: universal client-id: value-from: provider: env key: INFISICAL_CLIENT_ID client-secret: value-from: provider: env key: INFISICAL_CLIENT_SECRET project-id: "your-project-id-written" site-url: "http://192.168.10.20" cache-expiry: 40