Skip to main content

How are vaults used in ConductorOne?

When you use ConductorOne to provision new application accounts through connectors that support automatic account provisioning, these new accounts are often created with a starter password. Vaults provide a secure location to collect all these initial passwords. This allows the vault owner to easily distribute them to the owners of the new accounts, whether through email, Slack, or your preferred communication method.
A vault's details view, showing three credentials.
For added convenience, the new account password is also included in the entry for the new account on the user’s Requests page. Only the user and the vault owner can decrypt the credential for the account by clicking the eye icon, ensuring secure access.

Set up a new vault

This task requires the Super Administrator role in ConductorOne.
1
Navigate to Admin > Settings > Vaults and click Add vault.
2
Give the new vault a name and description.
3
Set a vault owner or owners. The vault owner is the only user who can view and decrypt all the credentials within the vault. Super admins can create vaults, but cannot decrypt passwords for others without the vault owner permission.
4
Click Save.
That’s it! The new vault is created and added to the Vaults page. Vault owners can view their vaults by going to the profile menu in the top right corner of the screen and selecting My vaults.
A vault owner's My vaults page in the profile menu.

Set the default password expiration for the vault

If needed, you can set the length of time newly created passwords will last before they expire.
1
On a vault’s details page, click the settings icon (it looks like a gear).
2
Use the dropdown to select how long passwords created in this vault will last. Preset options range from one hour to one year. Choose Custom to select a password duration if your preferred length isn’t on the list.
3
Click Save.
That’s it! New passwords created in this vault will expire after the timeframe you set elapses.

Configure a connector to save new account passwords to a vault

1
Navigate to Admin > Applications.
2
On the Managed apps tab, locate and click on the application you want to configure.
3
On the app’s Controls tab, locate the Access management section of the page and click Edit. The provisioning configuration drawer opens.
4
Select Connector from the dropdown, then select the connector for this app. The Mappings panel is shown. (See the automatic account provisioning docs for more on configuring the connector, if you haven’t already done so.)
5
In the Password storage area of the page, select Save to vault and select the vault you want to use.
6
Click Save.
That’s it! Now when a user requests a new account in this app, the new account’s password will be saved to the vault you specified, and will be included on the Accounts tab on the user’s Requests page. Only the user and the vault owner can decrypt the new account password.