Skip to content

HashiCorp Vault

The HashiCorp Vault Integration enables SailPoint Entro to continuously monitor your Vault environment and identify secrets, tokens, and metadata associated with Non-Human Identities (NHIs). This integration operates in read-only mode to ensure maximum security while providing complete visibility into vaulted secrets and metadata.


Management → Accounts & Integrations → Add New Account (top right) → HashiCorp Vault


Purpose

HashiCorp Vault is commonly used to store and manage secrets across enterprise systems. SailPoint Entro integrates with Vault to:

  • Discover and analyze secret metadata across paths

  • Correlate secret ownership with NHIs

  • Identify configuration and policy misconfigurations

  • Provide continuous monitoring without secret value access


Architecture

┌───────────────────────────────┐
│       Entro Security Cloud    │
│  (Secret & NHI Detection)     │
└──────────────┬────────────────┘
               │  HTTPS (TLS 1.2+)
┌───────────────────────────────┐
│       HashiCorp Vault         │
│ (Secrets, Policies, Tokens)   │
└───────────────────────────────┘

Security Model

  • SailPoint Entro connects using a read-only ACL policy

  • No secret values or credentials are ever extracted

  • All tokens and policies are encrypted using AES-256

  • All communication occurs via HTTPS/TLS 1.2+

  • Integration complies with SOC 2 Type II, ISO 27001, and GDPR


Integration Flow

  1. Create a Vault ACL policy

    Create a Vault ACL policy for SailPoint Entro read-only access.

  2. Generate a Vault token

    Generate a Vault token bound to the created policy.

  3. Provide Vault Server URL and Token

    Provide the Vault Server URL and Token in the SailPoint Entro onboarding form.

  4. Validation and scanning

    SailPoint Entro validates connectivity and begins scanning Vault metadata.