Steps to configure an external credential vault in RPA Hub

Yokohama Data and Automation

Release

yokohama

ft:locale

en-US

ft:publication_title

Yokohama Data and Automation

ft:clusterId

crint

bundleId

crint

workflow

Creator

Steps to configure an external credential vault in RPA Hub

Release version: Yokohama

Updated January 30, 2025

3 minutes to read

Summarize

Summarized using AI

Summary of Steps to Configure an External Credential Vault in RPA Hub

This guide outlines the essential steps for ServiceNow customers to configure an external credential vault in RPA Hub (Release Yokohama). Following these steps enables secure integration of external credential stores—such as CyberArk—with RPA processes, enhancing credential management and security.

Show full answer Show less

Step 1: Create a Subflow for Vault Integration

Create a subflow in Workflow Studio designed to integrate with the external credential vault.
Ensure the subflow input type is JSON, matching the expected format used by robot credentials, application credentials, or TOTP authenticators. The JSON must include fields like appID and query.
Use REST or other integration steps (e.g., SOAP) within the subflow to communicate with the external vault.
Align the subflow output strictly with the specified JSON schema, which includes status, data (with mandatory sensitiveValue), and error handling objects. This alignment is critical for successful validation by RPA GraphQL APIs and to prevent errors.
Structure the result output JSON differently based on success or failure, ensuring required keys like status and either sensitiveValue (success) or errorMessage (failure) are populated.

Step 2: Create an External Credential Vault Record

Create a record in RPA Hub representing the external credential vault. Refer to the sample Demo CyberArk vault for guidance and configuration details.

Step 3: Establish Connection Using ServiceNow Connections and Credentials

Create an active HTTP(s) connection record that complies with organizational security policies.
Use this connection in conjunction with credential aliases to link the RPA Hub subflow with the external vault securely.
Consult the Demo CyberArk subflow for example connection and credential alias setups.

Step 4: Configure Robot, Application Credential, or TOTP Authenticator to Use the Vault

Navigate to the desired credential or authenticator record and select the External Credential checkbox.
Choose the external credential vault record created in Step 2.
Populate the Subflow Input field with a valid JSON object containing necessary parameters to retrieve credentials from the vault.
Refer to the respective creation guides for robot credentials, application credentials, or TOTP authenticators to correctly configure these fields.

Key Outcomes

Securely integrate external credential vaults with RPA Hub, enabling centralized and secure management of sensitive credentials.
Ensure compatibility and validation of subflow outputs with RPA GraphQL APIs to prevent configuration errors.
Leverage ServiceNow Connections and Credentials framework to maintain compliance with security requirements during vault integration.
Enable robot credentials, application credentials, and TOTP authenticators to dynamically retrieve credentials from external vaults, improving security posture and operational flexibility.

Use this list of steps to guide you through all the tasks of configuring an external credential vault in RPA Hub.

Complete all the tasks for a step before moving on to the next step.

Do the steps in the order that they’re presented.

Table 1. Steps to configure an external credential vault in RPA Hub
Task	Reference
1. Create a subflow to integrate your external credential vault. For more information, see Create a subflow in Workflow Studio.	For reference, see the sample Demo CyberArk Subflow in your ServiceNow instance.
1.A. Verify that the subflow that you’re creating to integrate with the External Credential Vault, must have an input type as JSON. This input takes the value from the Subflow Input field of the Robot Credential, Application Credential, or Time-based One-time Password (TOTP) Authenticator. For example, the robot credential or application credential or TOTP authenticators that are using the Demo CyberArk external credential vault, must align with the following JSON format: `{ "appID" : "", "query" : "" }` Populate values for appID and query.
1.B. You can use the REST Step in the subflow to connect with the external credential vault. You can also use other integration steps such as SOAP. For more information, see Workflow Studio steps.
1.C. Verify that the output of your subflow must be aligned with the following JSON schema. { "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", "properties": { "result": { "type": "object", "properties": { "status": { "type": "string", "enum": ["success", "failure"] }, "data": { "type": "object", "properties": { "username": { "type": "string" }, "sensitiveValue": { "type": "string" }, "additionalData": { "type": "object" } }, "required": ["sensitiveValue"] }, "error": { "type": "object", "properties": { "errorType": { "type": "string" }, "errorMessage": { "type": "string" }, "additionalErrorData": { "type": "object" } }, "required": ["errorMessage"] } }, "required": ["status"] } }, "required": ["result"] };	This schema is used by the Robotic Process Automation (RPA) GraphQL APIs to validate the subflow output. If the output isn’t aligned with this schema, an error is encountered. Error Message: `The JSON received from the subflow deviates from the expected JSON schema. Rectify the JSON structure by aligning it with the specified schema in the documentation.`
1.D. You can align with the expected JSON schema (mentioned in 1.C) by defining a JSON output with the name 'result' for the Subflow. For success status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and sensitiveValue keys are required. `{ "status": "success", //Mandatory "data": { "username": "", "sensitiveValue": "" //Mandatory "additionalData": {} } }` For failure status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and errorMessage keys are required. `{ "status": "failure", //Mandatory "error": { "errorType": "", "errorMessage": "", //Mandatory "additionalErrorData": {} } }`
2. Create an external credential vault record. For more information, see Create an external credential vault record in RPA Hub.	For reference, see the sample Demo CyberArk external credential vault in your ServiceNow instance.
3. Establish a connection with an external credential vault by using the ServiceNow Connections and Credentials. For more information about creating an active connection, see Create an HTTP(s) connection. While configuring the connection record, verify to align with your organizational security requirements.	For reference, see the sample Demo CyberArk Subflow that uses RPA CyberArk connection and credential alias. Create a connection record in this connection and credential alias to establish connection with your CyberArk external vault.
4. To use the external credential vault record, that you created in step 2, navigate to either robot credential, application credential, or TOTP authenticator and select the External Credential check box. Also, select a record in the External Credential Vault field and populate the Subflow Input field with a valid JSON object. The JSON must contain the necessary information for retrieving credentials from the external credential vault.	For more information about configuring these fields, see Create a robot credential in RPA Hub, Create an application credential in RPA Hub, and Create a TOTP authenticator in RPA Hub.