StrongDM Vault & Secrets Deep Dive

How StrongDM Handles Credentials

When a user connects to a resource through StrongDM, the credentials that authenticate the connection are never revealed to the user. The node (gateway, relay, or proxy worker) delivering the traffic fetches credentials and injects them into the connection transparently. Where those credentials come from depends on how you've configured the resource.

Think of it like...

A hotel front desk. Guests never see the master key. The concierge (the node) retrieves the right key from the lockbox (your secret store) and opens the door for the guest. The guest enters, the key goes back in the box.

Three Ways to Store Credentials

Direct (Default)

Credentials are entered directly on the resource form and stored encrypted by StrongDM. Simplest option. Good for smaller deployments or organizations without an existing vault.

Secret Store

Credentials live in your own vault (HashiCorp Vault, AWS Secrets Manager, etc.). The node fetches them at connection time. Credentials never touch StrongDM's infrastructure.

Secrets Management Engine

StrongDM actively manages and rotates credentials in both the target resource and a backing secret store. Requires Enterprise plan.

Connection Flow with Secret Stores

User connects

→

Node checks authorization

→

Node fetches creds from secret store

→

Authenticates to resource

When using a secret store, StrongDM never has the credentials. They go directly from your vault to the node to the resource. If you rotate credentials in your vault, StrongDM picks up the new ones automatically on next connection.

Supported Secret Stores

StrongDM integrates with these secret store providers. Once a resource is configured with a specific secret store, you can't reassign it to a different one (you'd need to recreate the resource).

Provider	Auth Methods	Plan
StrongDM Vault	Built-in (no external auth needed)	All plans
HashiCorp Vault	TLS Certificate, Token, AppRole, AWS EC2, AWS IAM	All plans
AWS Secrets Manager	Access Key + Secret, IAM Instance Profile, IAM Role Assumption	All plans
Azure Key Vault	Managed Identity	All plans
GCP Secret Manager	Service Account	All plans
CyberArk Conjur	API Key	Enterprise
CyberArk PAM	API Key	Enterprise
Delinea Secret Server	API Key	Enterprise

StrongDM Vault

StrongDM Vault is the built-in secret store. It's the default option when configuring resources and requires no external setup. It stores passwords, certificates, and keys encrypted at rest. For organizations that don't already run a vault, this is the simplest path.

Setting Up Secret Stores

The general flow for any third-party secret store is the same: configure the store, set up your relay/gateway to authenticate to it, register it in StrongDM, and then configure resources to reference paths within the store.

HashiCorp Vault Setup

StrongDM supports five authentication methods for Vault. Token auth is fine for testing; for production, use AppRole, TLS certificate, or AWS-based auth.

Store credentials in Vault

Use Vault's KV secrets engine (v1 or v2) to store your resource credentials. Note the full path to each secret (e.g., secret/data/prod/postgres?key=password).
Configure relay authentication

Edit the environment file on your relay or gateway (/etc/sysconfig/sdm-proxy). Set the appropriate variables for your auth method, then restart the service.
Register the secret store in StrongDM

In the Admin UI, go to Settings > Secrets Management > Secret Stores. Click Add secret store. Select your Vault type, enter the server address, and any namespace if using Vault Enterprise.
Configure resources to use it

When creating or editing a resource, select your Vault as the Secret Store and provide the path to the credential in Vault instead of entering the credential directly.

AppRole Authentication (Production)

Set these environment variables on your relay/gateway, then restart the service:

/etc/sysconfig/sdm-proxy

VAULT_ROLE_ID=<YOUR_ROLE_ID>
VAULT_SECRET_ID=<YOUR_SECRET_ID>
VAULT_TOKEN_TTL=600

The VAULT_TOKEN_TTL value (in seconds, or a Go duration like 10m) controls how often the relay refreshes credentials. It should approximately match but not exceed the token_ttl setting on your AppRole in Vault.

Token Authentication (Testing)

/etc/sysconfig/sdm-proxy

VAULT_TOKEN=<YOUR_VAULT_TOKEN>

Warning

Token auth is not recommended for production. Tokens can expire and require manual renewal. Use AppRole or AWS-based auth for anything beyond testing.

Vault Enterprise Namespaces

If your secret lives inside a Vault Enterprise namespace, you have two options when registering the secret store:

Set the namespace field to empty and use the full path: namespace/mysecret?key=username
Set the namespace field to namespace/ and use the short path: mysecret?key=username

The token you authenticate with must have access within the namespace you specify. Mismatched namespace/token combinations will cause the healthcheck to fail.

AWS Secrets Manager Setup

Three authentication options: static access keys, IAM instance profile (same-account EC2), or IAM role assumption (cross-account).

Option A: Static Access Keys

/etc/sysconfig/sdm-proxy

AWS_ACCESS_KEY_ID=<YOUR_KEY_ID>
AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_KEY>

Option B: IAM Instance Profile (Same Account)

If your relay/gateway runs on an EC2 instance in the same AWS account as Secrets Manager:

Create an IAM role with the SecretsManagerReadWrite policy.
Attach the role to the EC2 instance (Actions > Security > Modify IAM Role).
No environment variables needed on the relay.

Option C: IAM Role Assumption (Cross-Account)

For relays in a different account than your Secrets Manager:

Create an IAM role in the Secrets Manager account with SecretsManagerReadWrite.
In the relay's account, create a custom policy allowing sts:AssumeRole for that role.
When registering the secret store in StrongDM, fill in the Assume Role ARN and optional External ID.

Then register in StrongDM: Settings > Secrets Management > Secret Stores > Add secret store > AWS Secrets Manager. Provide a display name and region. The relay authenticates to AWS to fetch secrets at connection time.

Azure Key Vault Setup

StrongDM uses Azure Managed Identity to authenticate relays/gateways to Key Vault. Only the "Secrets" object type in Key Vault is supported (but you can store Base64-encoded certificates/keys as secrets).

Prerequisites

StrongDM account administrator
Microsoft Entra role that can manage Key Vault and assign managed identities
Azure subscription Owner or User Access Administrator role

Create or select your Key Vault

In the Azure portal, create a Key Vault if you don't have one. Store your resource credentials as secrets.
Configure IAM for the relay

Update the Key Vault's Access Control (IAM) to allow the managed identity of your gateway/relay VM. See Azure's Managed Identities documentation.
Register in StrongDM

Go to Settings > Secrets Management > Secret Stores > Add secret store. Select Azure Key Vault. Enter the Vault URI (e.g., https://<VAULT_NAME>.vault.azure.net/).

GCP Secret Manager Setup

GCP Secret Manager accepts plaintext or JSON secrets. Authentication uses a GCP service account.

Store secrets in GCP Secret Manager

Use the Google Cloud Console or gcloud CLI to create secrets and store your resource credentials.
Set up service account credentials

Create a service account with Secret Manager Accessor role. Download the key file and place it on your relay/gateway. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path.
Register in StrongDM

Go to Settings > Secrets Management > Secret Stores > Add secret store. Select GCP Secret Manager and enter a display name.

Configuring a Resource with a Secret Store

Once a secret store is registered and healthy (green indicator in Admin UI), you can use it when creating resources. Instead of entering a password directly, you select the secret store and provide the path to the credential within it.

Important

Once a resource is configured with a specific secret store provider, you cannot change it to a different provider. You'd need to delete and recreate the resource. Plan your secret store strategy before onboarding resources at scale.

CLI: Creating Secret Stores

You can also create secret stores from the CLI:

terminal

# List existing secret stores
sdm admin secretstores list

# Create a HashiCorp Vault secret store (AppRole auth)
sdm admin secretstores create vaultAppRole \
  --name "Production Vault" \
  --server-address "https://vault.example.com:8200"

# Create an AWS Secrets Manager store
sdm admin secretstores create aws \
  --name "AWS Prod Secrets" \
  --region "us-east-1"

Certificate Authorities

Certificate authorities let your SSH and RDP resources authenticate with trusted certificates instead of static key pairs or passwords. StrongDM provides a built-in CA (Strong CA) automatically for every organization, and Enterprise customers can integrate third-party CAs.

Strong CA (Built-In)

Every StrongDM organization gets two Strong CAs by default: one for SSH and one for RDP. There's nothing to configure.

SSH Certificate Lifespan 3 years (no expiration on individual certs by default) RDP Certificate Lifespan Configurable: 1, 2, or 3 years Certificate Limit 100 certificates per CA Active Certificates Only one active certificate per CA at a time

How Certificate Auth Works

User initiates session

→

Node requests short-lived cert from CA

→

CA signs certificate

→

Node authenticates to resource

Setting Up SSH Certificate Auth

Get the CA public key

In the Admin UI, go to Settings > Secrets Management > Certificate Authorities. Select the SSH CA, click the active certificate, and copy the public key.
Trust the CA on your hosts

Save the key as /etc/ssh/sdm_ca.pub on each target host. Add TrustedUserCAKeys /etc/ssh/sdm_ca.pub to /etc/ssh/sshd_config, then restart sshd.
Create the resource in StrongDM

Add an SSH (Certificate Auth) resource. Select your CA and key type. StrongDM issues short-lived certificates for each connection.

sshd_config (on target host)

# Trust StrongDM CA for user authentication
TrustedUserCAKeys /etc/ssh/sdm_ca.pub

Setting Up RDP Certificate Auth

Download the root certificate

In the Admin UI, go to Settings > Secrets Management > Certificate Authorities. Select the RDP CA and download the rdp.cer file.
Trust the CA in Active Directory

Upload the root certificate to Microsoft Entra ID (Security > Certificate authorities) or distribute it via Group Policy to your on-premises AD.
Create the resource in StrongDM

Add an RDP (Certificate Auth) resource. Select the CA. Connection authentication is handled via short-lived X.509 certificates.

Third-Party CAs (Enterprise)

Enterprise plan customers can integrate external CAs instead of using the Strong CA. Supported third-party CAs:

Provider	Protocol	Auth Methods
HashiCorp Vault	SSH & RDP	TLS Cert, Token, AppRole, AWS EC2, AWS IAM
Active Directory Certificate Services	RDP	NDES with username/password
AWS Private CA	RDP	Access Key, IAM Instance Profile
GCP Certificate Authority Service	RDP	Service Account
Keyfactor EJBCA	SSH & RDP	TLS Client Certificate

CLI & Terraform

Third-party CAs are treated as secret stores in the CLI, SDKs, and Terraform. Use sdm admin secretstores create commands and the sdm_secret_store Terraform resource type. Activities are logged the same way as secret store activities.

Certificate Rotation

You can create multiple certificates under a CA but only one is active at a time. To rotate:

Create a new certificate in the Admin UI.
Deploy the new certificate's public key (SSH) or root cert (RDP) to your hosts.
Once deployed, activate the new certificate in StrongDM.
The old certificate becomes inactive and can be removed.

Caution

Rotating the active SSH CA terminates all existing SSH sessions using the previous CA. Stage rotations carefully and deploy the new CA public key to all hosts before activating.

Secrets Management (Enterprise)

StrongDM's secrets management goes beyond just storing credentials. Secret engines can actively manage and rotate credentials in both the target resource and a backing secret store simultaneously.

Secret Engine Types

Engine Type	What It Does	Rotation
Key Value	Manually create, update, or delete secrets in any supported secret store	Manual only
Active Directory	Manage and rotate AD credentials, synced to a secret store	Automatic
PostgreSQL	Rotate PostgreSQL credentials and sync to a secret store	Automatic
MySQL	Rotate MySQL credentials and sync to a secret store	Automatic
SQL Server	Rotate SQL Server credentials and sync to a secret store	Automatic

Backing Secret Stores

Every secret engine needs a backing secret store where it keeps synchronized copies of credentials. Supported backing stores for secrets management:

AWS Secrets Manager Azure Key Vault GCP Secret Manager HashiCorp Vault StrongDM Vault

StrongDM Vault as a backing store requires nodes running version 51.51.0 or higher.

How Rotation Works

Secret engine triggers rotation (scheduled or manual)

↓

Engine connects to target resource (e.g., PostgreSQL)

↓

Rotates credential on the resource itself

↓

Updates the credential in the backing secret store

↓

Next connection uses new credential automatically

Key Value Engine Use Cases

The Key Value engine doesn't connect to any target resource. It just manages secrets in a store. This is useful for:

Resource types that don't have a dedicated engine (e.g., Redis, DynamoDB)
Non-resource secrets like Windows admin credentials that users need to retrieve manually
Integration with policy-based secret entitlement for audited credential retrieval

Secret Entitlement with Policies

StrongDM policies can entitle specific users to retrieve secrets manually. This is useful for credentials that aren't for StrongDM-proxied access, like a Windows admin password a user needs to enter themselves. Every retrieval is logged and auditable.

Deployment Patterns

Decision Guide

Which approach should you use?

Scenario	Approach
Small org, no existing vault, getting started	Store credentials directly on resources (default)
Already using a vault, security policy requires external storage	Integrate your existing secret store
Want centralized credential management without a third-party tool	Use StrongDM Vault as your secret store
Need automated credential rotation	Use StrongDM secrets management engines (Enterprise)
SSH/RDP at scale, want to eliminate static keys	Use certificate authentication with Strong CA or third-party CA

Terraform Examples

Creating a Secret Store

secretstore.tf

# HashiCorp Vault (AppRole auth)
resource "sdm_secret_store" "vault" {
  vault_approle {
    name           = "prod-vault"
    server_address = "https://vault.example.com:8200"
  }
}

# AWS Secrets Manager
resource "sdm_secret_store" "aws_sm" {
  aws {
    name   = "aws-prod-secrets"
    region = "us-east-1"
  }
}

Resource Using a Secret Store

postgres-with-vault.tf

resource "sdm_resource" "prod_pg" {
  postgres {
    name           = "prod-postgres"
    hostname       = "pg.internal.example.com"
    port           = 5432
    database       = "production"
    username       = "secret/data/prod/pg?key=username"
    password       = "secret/data/prod/pg?key=password"
    secret_store_id = sdm_secret_store.vault.id
    tags = {
      env  = "production"
      team = "platform"
    }
  }
}

Vault SSH CA in Terraform

vault-ssh-ca.tf

resource "sdm_secret_store" "vault_ssh_ca" {
  vault_tls_cert_ssh {
    name              = "vault-ssh-ca"
    server_address    = "https://vault.example.com:8200"
    signing_role      = "sdm-ssh-signer"
    ssh_mount_point   = "ssh-ca/"
    client_certificate_path = "/path/to/client.crt"
    client_key_path         = "/path/to/client.key"
  }
}

Troubleshooting

Secret store shows as unhealthy (red)

The relay/gateway can't authenticate to the secret store. Check: (1) environment variables are set correctly on the node, (2) the node has network access to the vault address, (3) the authentication credentials (token, role ID, IAM role) are valid and not expired. Restart the node service after making changes.

Resource connection fails after credential rotation

If you rotated credentials in your vault but the connection fails, check that the path in the resource configuration still points to the right location. StrongDM doesn't care about credential changes (it fetches fresh each time), but it does care about path changes.

Vault namespace mismatch errors

If using Vault Enterprise namespaces, ensure the token you're authenticating with has access to the namespace specified in StrongDM. A token from namespace1/ won't work with a secret store configured for namespace2/.

Certificate TTL too short

Third-party CAs default to 5-minute TTLs. If your connections are timing out, you can increase the Certificate TTL Minutes in StrongDM. Note that Vault's max_ttl on the signing role caps the effective TTL -- if the StrongDM value exceeds max_ttl, you'll get errors.

Quick Reference

Task	Where
Manage secret stores	Admin UI: Settings > Secrets Management > Secret Stores
Manage CAs	Admin UI: Settings > Secrets Management > Certificate Authorities
CLI: List secret stores	`sdm admin secretstores list`
CLI: Create secret store	`sdm admin secretstores create <type>`
CLI: List secret engines	`sdm admin secretengines list`
Terraform: Secret store	`sdm_secret_store` resource
Terraform: Third-party CA	`sdm_secret_store` resource (CAs use secret store API)

Note

Content sourced from docs.strongdm.com, March 2026. For the latest on secret store types, secrets management engines, and CA integrations, see the Secret Stores and Certificate Authorities documentation.