---
layout: docs
page_title: Configure Vault ServiceNow Credential Resolver
description: This section documents the configurables for the Vault ServiceNow Credential Resolver.
---

# Configuring the Vault Credential Resolver

## MID server properties

The following [properties] are supported by the Vault Credential Resolver:

- `mid.external_credentials.vault.address` `(string: "")` - Address of Vault Agent as resolveable by the MID server.
  For example, if Vault Agent is on the same server as the MID server it could be `https://127.0.0.1:8200`.

- `mid.external_credentials.vault.ca` `(string: "")` - The CA certificate to trust for TLS in PEM format. If unset,
  the system's trusted CAs will be used.

- `mid.external_credentials.vault.tls_skip_verify` `(string: "")` - When set to true, skips verification of the Vault server
  TLS certificiate. Setting this to true is not recommended for production.

[properties]: https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/product/mid-server/reference/r_MIDServerProperties.html#t_SetMIDServerProperties

## Configuring discovery credentials

To consume Vault credentials from your MID server, you will need to:

* Create a secret in Vault
* Configure the resolver to use that secret

### Creating a secret in Vault

The credential resolver supports reading credentials from the following secret engines:

* [Active Directory](/docs/secrets/ad)
* [AWS](/docs/secrets/aws)
* [K/V v1](/docs/secrets/kv/kv-v1)
* [K/V v2](/docs/secrets/kv/kv-v2)

When creating K/V secrets, you must use the following keys for each component
to ensure it is correctly mapped to ServiceNow's credential fields:

Key         | Description                            | Supported aliases
------------|----------------------------------------|------------------
username    | The username                           | access_key
password    | The password                           | secret_key, current_password
private_key | The private SSH key                    |
passphrase  | The passphrase for the private SSH key |

Most ServiceNow credential types will expect at least a username and either
a password or a private key. To help surface errors early, the credential
resolver validates that a username and password are present for:

* aws
* basic
* jdbc
* jms
* ssh_password
* vmware
* windows

And the credential resolver expects the following types to specify at least
a username and a private key:

* api_key
* cfg_chef_credentials
* infoblox
* sn_cfg_ansible
* sn_disco_certmgmt_certificate_ca
* ssh_private_key

### Configuring the resolver to use a secret

In the ServiceNow UI:

* Navigate to "Discovery - Credentials" -> New
  * Select a type from the list
  * Tick "External credential store"
  * Fill in a meaningful name
  * Set "Credential ID" to the path in Vault where your secret is located, e.g.
    for a KV v2 secret engine mounted at "secret", you might have a secret stored
    under "ssh": `secret/data/ssh`. Check the [API docs](/api-docs/secret/) for
    your secret engine if you are unsure of the path to use
  * **Optional:** Click "Test credential" and select a MID server and a target
    to test against to test everything is working