16 Jul 2026 02:26 PM
Hello Dynatrace Community Colleagues,
I am currently implementing a workflow that needs to manage and rotate authentication tokens using the Dynatrace Credential Vault. Storing and rotating the token itself is not a problem, as I can leverage the Credential Vault APIs (ClientVault API / native Dynatrace credential management capabilities) to create, update, and rotate secrets.
The challenge is related to secure secret consumption within a custom Workflow task implemented in TypeScript.
My workflow needs to call external AWS APIs. To authenticate these calls, I need access to a token that is stored in the Dynatrace Credential Vault.
I want to avoid the following approaches:
The built-in Workflow HTTP Task appears to be able to reference credentials stored in the Credential Vault and transparently inject them into outbound HTTP requests without exposing the underlying secret value.
My question is:
Is there an equivalent mechanism available for custom TypeScript code running in Workflows like the current HTTP Task of a workflow?
More specifically:
From what I understand, credentials are managed through the Dynatrace Credential Vault and can be referenced by resources internally. However, the retrieval path used by native workflow tasks does not seem to be publicly documented for custom applications.
For example, when configuring an HTTP Task:
This suggests that Dynatrace performs secure server-side secret resolution and injection.
I would like to understand whether custom TypeScript workflow code can leverage the same capability.
If direct access is intentionally restricted, I would appreciate guidance on recommended architectural patterns, such as:
The Dynatrace Credential Vault and its APIs are powerful for secret lifecycle management, but currently they appear primarily geared toward Dynatrace-managed integrations. I am looking for a secure and supported way for custom workflow applications to consume those secrets without exposing them.
Any guidance, best practices, or product recommendations would be greatly appreciated.
Thank you.
17 Jul 2026 03:03 AM
@MarwanC Have you considered using credentialvaultclient ?
https://developer.dynatrace.com/develop/sdks/client-classic-environment-v2/#credentialvaultclient
17 Jul 2026 06:23 AM
Hello @MarwanC
Yes, credentialVaultClient from the @dynatrace-sdk/client-classic-environment-v2 package is exactly the mechanism you're looking for.
To answer your specific questions:
Points 1/2 — HTTP Task credential resolution: Correct. The HTTP Task resolves credentials server-side through the Credential Vault service. The secret value never appears in the workflow definition, execution history, or logs — only the credential ID is stored in the task configuration.
Points 3/4 — Custom TypeScript access: Correct. The "Run JavaScript" (ad-hoc action) task in a Workflow runs in an authenticated app context and can call credentialVaultClient directly from @dynatrace-sdk/client-classic-environment-v2.
Thanks,
Sujit
17 Jul 2026 10:26 AM
You may have miss read what I am really looking for, in the API there is no way to extract the token itself, the main usage in my workflow is to read the token from the vault and use it in a code to call another http call all by code, i.e. I need the actual token. I do not see any API that do this, please point me to the exact field that I can fetch the token value from. Here is the simplest code fragment that I can provide and it works fine from my task like but no token to use given the ID:
import { credentialVaultClient } from "@dynatrace-sdk/client-classic-environment-v2";
import { execution } from '@dynatrace-sdk/automation-utils';
// According to documentation
// The credentials set including username/certificate, password or token is included in the response.
const response = await credentialVaultClient.getCredentials
(
{
id: "CREDENTIALS_VAULT-DE4276F37CF26CCC"
}
);
console.log(response.credentialUsageSummary);
console.log(response.description);
console.log(response.externalVault);
console.log(response.id);
console.log(response.name);
console.log(response.owner);
console.log(response.ownerAccessOnly);
console.log(response.scope);
console.log(response.type);
17 Jul 2026 01:43 PM
console.log(response.token); ---- Always returns undefined
Featured Posts