<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Accessing Credential Vault Secrets Securely from Workflow TypeScript Code in Automations</title>
    <link>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302068#M2693</link>
    <description>&lt;P&gt;&lt;SPAN&gt;console.log(response.token);&amp;nbsp; &amp;nbsp; ---- Always returns undefined&lt;/SPAN&gt;&lt;/P&gt;</description>
    <pubDate>Fri, 17 Jul 2026 12:43:14 GMT</pubDate>
    <dc:creator>MarwanC</dc:creator>
    <dc:date>2026-07-17T12:43:14Z</dc:date>
    <item>
      <title>Accessing Credential Vault Secrets Securely from Workflow TypeScript Code</title>
      <link>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302015#M2687</link>
      <description>&lt;DIV&gt;&lt;H1&gt;Accessing Credential Vault Secrets Securely from Workflow TypeScript Code&lt;/H1&gt;&lt;P&gt;Hello Dynatrace Community Colleagues,&lt;/P&gt;&lt;P&gt;I am currently implementing a workflow that needs to manage and rotate authentication tokens using the Dynatrace Credential Vault. Storing and rotating the token itself is not a problem, as I can leverage the &lt;STRONG&gt;Credential Vault APIs (ClientVault API / native Dynatrace credential management capabilities)&lt;/STRONG&gt; to create, update, and rotate secrets.&lt;/P&gt;&lt;P&gt;The challenge is related to &lt;STRONG&gt;secure secret consumption&lt;/STRONG&gt; within a custom Workflow task implemented in &lt;STRONG&gt;TypeScript&lt;/STRONG&gt;.&lt;/P&gt;&lt;H2&gt;Current Situation&lt;/H2&gt;&lt;P&gt;My workflow needs to call external AWS APIs. To authenticate these calls, I need access to a token that is stored in the Dynatrace Credential Vault.&lt;/P&gt;&lt;P&gt;I want to avoid the following approaches:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Hardcoding the token in the workflow definition.&lt;/LI&gt;&lt;LI&gt;Storing the token in local variables.&lt;/LI&gt;&lt;LI&gt;Exposing the secret in workflow inputs, outputs, logs, or task parameters.&lt;/LI&gt;&lt;LI&gt;Persisting the token anywhere outside the Dynatrace Credential Vault.&lt;/LI&gt;&lt;/UL&gt;&lt;H2&gt;What I Am Trying to Achieve&lt;/H2&gt;&lt;P&gt;The built-in &lt;STRONG&gt;Workflow HTTP Task&lt;/STRONG&gt; appears to be able to reference credentials stored in the Credential Vault and transparently inject them into outbound HTTP requests without exposing the underlying secret value.&lt;/P&gt;&lt;P&gt;My question is:&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;Is there an equivalent mechanism available for custom TypeScript code running in Workflows like the current HTTP Task of a workflow?&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;More specifically:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;How does the Workflow HTTP Task securely retrieve credentials from the Credential Vault?&lt;/LI&gt;&lt;LI&gt;Which internal Dynatrace service or API is used for secret resolution?&lt;/LI&gt;&lt;LI&gt;Can custom workflow code access secrets through the same mechanism without exposing the secret material?&lt;/LI&gt;&lt;LI&gt;Is there a supported SDK, API, or execution context that allows a workflow application to consume vault-managed credentials securely?&lt;/LI&gt;&lt;/OL&gt;&lt;H2&gt;Technical Context&lt;/H2&gt;&lt;P&gt;From what I understand, credentials are managed through the Dynatrace Credential Vault and can be referenced by resources internally. However, the retrieval path used by native workflow tasks does not seem to be publicly documented for custom applications.&lt;/P&gt;&lt;P&gt;For example, when configuring an HTTP Task:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;A credential object is selected.&lt;/LI&gt;&lt;LI&gt;The task executes successfully.&lt;/LI&gt;&lt;LI&gt;The secret value is never exposed in the workflow definition or execution details which is indeed as intended by a credential vault design and principle.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;This suggests that Dynatrace performs secure server-side secret resolution and injection.&lt;/P&gt;&lt;P&gt;I would like to understand whether custom TypeScript workflow code can leverage the same capability.&lt;/P&gt;&lt;H2&gt;Alternative Recommendations&lt;/H2&gt;&lt;P&gt;If direct access is intentionally restricted, I would appreciate guidance on recommended architectural patterns, such as:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Using OAuth credentials managed by Dynatrace.&lt;/LI&gt;&lt;LI&gt;Delegating AWS calls through a Workflow HTTP Task.&lt;/LI&gt;&lt;LI&gt;Using service-to-service authentication mechanisms.&lt;/LI&gt;&lt;LI&gt;Any supported secret-broker or credential-injection pattern for Workflow applications.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;The Dynatrace Credential Vault and its APIs are powerful for secret lifecycle management, but currently they appear primarily geared toward Dynatrace-managed integrations. I am looking for a secure and supported way for custom workflow applications to consume those secrets without exposing them.&lt;/P&gt;&lt;P&gt;Any guidance, best practices, or product recommendations would be greatly appreciated.&lt;/P&gt;&lt;P&gt;Thank you.&lt;/P&gt;&lt;/DIV&gt;</description>
      <pubDate>Thu, 16 Jul 2026 13:26:29 GMT</pubDate>
      <guid>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302015#M2687</guid>
      <dc:creator>MarwanC</dc:creator>
      <dc:date>2026-07-16T13:26:29Z</dc:date>
    </item>
    <item>
      <title>Re: Accessing Credential Vault Secrets Securely from Workflow TypeScript Code</title>
      <link>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302037#M2688</link>
      <description>&lt;P&gt;&lt;a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/64346"&gt;@MarwanC&lt;/a&gt;&amp;nbsp;Have you considered using credentialvaultclient ?&lt;/P&gt;&lt;P&gt;&lt;A href="https://developer.dynatrace.com/develop/sdks/client-classic-environment-v2/#credentialvaultclient" target="_blank"&gt;https://developer.dynatrace.com/develop/sdks/client-classic-environment-v2/#credentialvaultclient&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 17 Jul 2026 02:03:13 GMT</pubDate>
      <guid>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302037#M2688</guid>
      <dc:creator>p_devulapalli</dc:creator>
      <dc:date>2026-07-17T02:03:13Z</dc:date>
    </item>
    <item>
      <title>Re: Accessing Credential Vault Secrets Securely from Workflow TypeScript Code</title>
      <link>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302038#M2689</link>
      <description>&lt;P&gt;Hello&amp;nbsp;&lt;a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/64346"&gt;@MarwanC&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Yes, credentialVaultClient from the @dynatrace-sdk/client-classic-environment-v2 package is exactly the mechanism you're looking for.&lt;/P&gt;&lt;P&gt;To answer your specific questions:&lt;/P&gt;&lt;P&gt;Points 1/2 — HTTP Task credential resolution: Correct. The HTTP Task resolves credentials server-side through the Credential Vault service. The secret value never appears in the workflow definition, execution history, or logs — only the credential ID is stored in the task configuration.&lt;/P&gt;&lt;P&gt;Points 3/4 — Custom TypeScript access: Correct. The "Run JavaScript" (ad-hoc action) task in a Workflow runs in an authenticated app context and can call credentialVaultClient directly from @dynatrace-sdk/client-classic-environment-v2.&lt;/P&gt;&lt;P&gt;Thanks,&lt;/P&gt;&lt;P&gt;Sujit&lt;/P&gt;</description>
      <pubDate>Fri, 17 Jul 2026 05:23:47 GMT</pubDate>
      <guid>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302038#M2689</guid>
      <dc:creator>sujit_k_singh</dc:creator>
      <dc:date>2026-07-17T05:23:47Z</dc:date>
    </item>
    <item>
      <title>Re: Accessing Credential Vault Secrets Securely from Workflow TypeScript Code</title>
      <link>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302060#M2692</link>
      <description>&lt;P&gt;You may have miss read what I am really looking for, in the API there is no way to extract the token itself, the main usage in my workflow is to read the token from the vault and use it in a code to call another http call all by code, i.e. I need the actual token. I do not see any API that do this, please point me to the exact field that I can fetch the token value from. Here is the simplest code fragment that I can provide and it works fine from my task like but no token to use given the ID:&lt;/P&gt;&lt;P&gt;import { credentialVaultClient } from "@dynatrace-sdk/client-classic-environment-v2";&lt;/P&gt;&lt;P&gt;import { execution } from '@dynatrace-sdk/automation-utils';&lt;/P&gt;&lt;P&gt;// According to documentation&lt;BR /&gt;// The credentials set including username/certificate, password or token is included in the response.&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;const response = await credentialVaultClient.getCredentials&lt;BR /&gt;(&lt;BR /&gt;&amp;nbsp; {&lt;BR /&gt;&amp;nbsp; &amp;nbsp; id: "CREDENTIALS_VAULT-DE4276F37CF26CCC"&lt;BR /&gt;&amp;nbsp; }&lt;BR /&gt;);&lt;BR /&gt;&lt;BR /&gt;console.log(response.credentialUsageSummary);&lt;BR /&gt;console.log(response.description);&lt;BR /&gt;console.log(response.externalVault);&lt;BR /&gt;console.log(response.id);&lt;BR /&gt;console.log(response.name);&lt;BR /&gt;console.log(response.owner);&lt;BR /&gt;console.log(response.ownerAccessOnly);&lt;BR /&gt;console.log(response.scope);&lt;BR /&gt;console.log(response.type);&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 17 Jul 2026 09:26:36 GMT</pubDate>
      <guid>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302060#M2692</guid>
      <dc:creator>MarwanC</dc:creator>
      <dc:date>2026-07-17T09:26:36Z</dc:date>
    </item>
    <item>
      <title>Re: Accessing Credential Vault Secrets Securely from Workflow TypeScript Code</title>
      <link>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302068#M2693</link>
      <description>&lt;P&gt;&lt;SPAN&gt;console.log(response.token);&amp;nbsp; &amp;nbsp; ---- Always returns undefined&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 17 Jul 2026 12:43:14 GMT</pubDate>
      <guid>https://community.dynatrace.com/t5/Automations/Accessing-Credential-Vault-Secrets-Securely-from-Workflow/m-p/302068#M2693</guid>
      <dc:creator>MarwanC</dc:creator>
      <dc:date>2026-07-17T12:43:14Z</dc:date>
    </item>
  </channel>
</rss>

