Automations
All questions related to Workflow Automation, AutomationEngine, and EdgeConnect, as well as integrations with various tools.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Accessing Credential Vault Secrets Securely from Workflow TypeScript Code

MarwanC
Advisor

Accessing Credential Vault Secrets Securely from Workflow TypeScript Code

Hello Dynatrace Community Colleagues,

I am currently implementing a workflow that needs to manage and rotate authentication tokens using the Dynatrace Credential Vault. Storing and rotating the token itself is not a problem, as I can leverage the Credential Vault APIs (ClientVault API / native Dynatrace credential management capabilities) to create, update, and rotate secrets.

The challenge is related to secure secret consumption within a custom Workflow task implemented in TypeScript.

Current Situation

My workflow needs to call external AWS APIs. To authenticate these calls, I need access to a token that is stored in the Dynatrace Credential Vault.

I want to avoid the following approaches:

  • Hardcoding the token in the workflow definition.
  • Storing the token in local variables.
  • Exposing the secret in workflow inputs, outputs, logs, or task parameters.
  • Persisting the token anywhere outside the Dynatrace Credential Vault.

What I Am Trying to Achieve

The built-in Workflow HTTP Task appears to be able to reference credentials stored in the Credential Vault and transparently inject them into outbound HTTP requests without exposing the underlying secret value.

My question is:

Is there an equivalent mechanism available for custom TypeScript code running in Workflows like the current HTTP Task of a workflow?

More specifically:

  1. How does the Workflow HTTP Task securely retrieve credentials from the Credential Vault?
  2. Which internal Dynatrace service or API is used for secret resolution?
  3. Can custom workflow code access secrets through the same mechanism without exposing the secret material?
  4. Is there a supported SDK, API, or execution context that allows a workflow application to consume vault-managed credentials securely?

Technical Context

From what I understand, credentials are managed through the Dynatrace Credential Vault and can be referenced by resources internally. However, the retrieval path used by native workflow tasks does not seem to be publicly documented for custom applications.

For example, when configuring an HTTP Task:

  • A credential object is selected.
  • The task executes successfully.
  • The secret value is never exposed in the workflow definition or execution details which is indeed as intended by a credential vault design and principle.

This suggests that Dynatrace performs secure server-side secret resolution and injection.

I would like to understand whether custom TypeScript workflow code can leverage the same capability.

Alternative Recommendations

If direct access is intentionally restricted, I would appreciate guidance on recommended architectural patterns, such as:

  • Using OAuth credentials managed by Dynatrace.
  • Delegating AWS calls through a Workflow HTTP Task.
  • Using service-to-service authentication mechanisms.
  • Any supported secret-broker or credential-injection pattern for Workflow applications.

The Dynatrace Credential Vault and its APIs are powerful for secret lifecycle management, but currently they appear primarily geared toward Dynatrace-managed integrations. I am looking for a secure and supported way for custom workflow applications to consume those secrets without exposing them.

Any guidance, best practices, or product recommendations would be greatly appreciated.

Thank you.

4 REPLIES 4

p_devulapalli
DynaMight Leader
DynaMight Leader

@MarwanC Have you considered using credentialvaultclient ?

https://developer.dynatrace.com/develop/sdks/client-classic-environment-v2/#credentialvaultclient

 

Phani Devulapalli

sujit_k_singh
Champion

Hello @MarwanC 

Yes, credentialVaultClient from the @dynatrace-sdk/client-classic-environment-v2 package is exactly the mechanism you're looking for.

To answer your specific questions:

Points 1/2 — HTTP Task credential resolution: Correct. The HTTP Task resolves credentials server-side through the Credential Vault service. The secret value never appears in the workflow definition, execution history, or logs — only the credential ID is stored in the task configuration.

Points 3/4 — Custom TypeScript access: Correct. The "Run JavaScript" (ad-hoc action) task in a Workflow runs in an authenticated app context and can call credentialVaultClient directly from @dynatrace-sdk/client-classic-environment-v2.

Thanks,

Sujit

Dynatrace Professional Certified

MarwanC
Advisor

You may have miss read what I am really looking for, in the API there is no way to extract the token itself, the main usage in my workflow is to read the token from the vault and use it in a code to call another http call all by code, i.e. I need the actual token. I do not see any API that do this, please point me to the exact field that I can fetch the token value from. Here is the simplest code fragment that I can provide and it works fine from my task like but no token to use given the ID:

import { credentialVaultClient } from "@dynatrace-sdk/client-classic-environment-v2";

import { execution } from '@dynatrace-sdk/automation-utils';

// According to documentation
// The credentials set including username/certificate, password or token is included in the response.


const response = await credentialVaultClient.getCredentials
(
  {
    id: "CREDENTIALS_VAULT-DE4276F37CF26CCC"
  }
);

console.log(response.credentialUsageSummary);
console.log(response.description);
console.log(response.externalVault);
console.log(response.id);
console.log(response.name);
console.log(response.owner);
console.log(response.ownerAccessOnly);
console.log(response.scope);
console.log(response.type);

 

MarwanC
Advisor

console.log(response.token);    ---- Always returns undefined

Featured Posts