Integration
This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
To quote from the Hashicorp blurb :
"HCP Vault Dedicated and Vault Enterprise provide a comprehensive platform for secure, centralized secrets management that aligns with enterprise security objectives. By enabling dynamic, short-lived credentials, automated rotation, and fine-grained access control, Vault helps security leaders eliminate long-lived secrets and enforce policy across the organization. Its robust audit logging, identity brokering, and compliance features also support internal governance and external regulatory requirements."
We really need ACE to do the same as the lifetime of credentials is reduced (for certs to 47 days but for keys and tokens the requirement is now coming down to hours or minutes, meaning that restarting the pod is not a feasible option.
As we are also moving our secrets into Hashicorp vault (currently our pipelines deploy the secrets from an encrypted version in Git). Hashicorp seems well designed (we use the vault sidecar container to manage the secure connection to the vault) and is able to dynamically update the secrets in kubernetes (OCP in our case), but because we have to transfer the secrets into ACE by running the container startup scripts, even if the credentials are updated in the vault (and k8s secrets), we have to restart the pod to pick them up.
So, yes, ideally ACE using the Hashicorp (or external) vault rather than ACE vault would be ideal, but if not, then at least a way for ACE to refresh its cache of the secrets if they are updated.
Thanks.
Noting duplicate idea here: https://integration-development.ideas.ibm.com/ideas/APPC-I-1038
Thank you for taking the time to raise this enhancement request, which of course is timely given the likely IBM acquisition of Hashicorp (assuming the remaining regulatory approvals are forthcoming and lead to a closed transaction). In general we view positively the thought that some customers would prefer to store their credentials in an external vault technology, and yet we also very much still see the need to maintain a first class experience with our own built-in vault technology and also the need to integrate seamlessly with Kubernetes secrets. We are pleased that you have managed to use your pipeline to pull secrets from HCV and inject them into K8S secrets / an ACE vault. When adding the startup script feature to the ACE independent integration server (https://www.ibm.com/docs/en/app-connect/12.0?topic=servers-configuring-independent-integration-server-startup-script), injection of credentials from a 3rd party vault was one of the leading motivators for this work. Regarding the suggestion of a more formalised built-in interface to HCV, we absolutely accept the requirement for Future Consideration.