×
![]()
Back to Geneos FAQ
Password Retrieval from HashiCorp Vault
When the Gateway setup is saved, it fetches the password from a HashiCorp Vault and securely passes it to the netprobe in an encrypted manner.
Current Behavior of HashiCorp Vault Token/Password Retrieval Copied
-
Initial Load without Netprobe Connection:
- The Gateway does not make any request to the Vault if no Netprobe is connected.
-
Netprobe Connection Established:
- Once the Netprobe connects, the Gateway requests the Vault for both the token and password.
- The retrieved password is stored in-memory and can be observed in the Gateway logs if debug logging for
ExternalPasswordManageris enabled. - The stored password appears in the format
+encs+xxxxxx, representing an in-memory reference rather than a physical file. - This password is valid for the duration of the session. If the password in the Vault is rotated, the stored password becomes invalid, as the Gateway does not automatically fetch a new password.
-
Password Refresh Mechanism:
- A new password is retrieved only during a password re-validation, which occurs in the following scenarios:
- A change is made to the
extPwdfield of the sampler. - The Gateway is restarted.
- A change is made to the
- A new password is retrieved only during a password re-validation, which occurs in the following scenarios:
From Geneos version GA7.1.0, we have implemented a new feature (AA-7035) that cached external passwords can now be refreshed at regular configured intervals or on setup reload.
["Geneos"]
["Geneos > Gateway"]
["FAQ"]