Share via


Secret Server (Preview)

The Secret Server Connector allows users to leverage the power of Delinea Secret Server. This connector allows the user to retrieve a secret from Secret Server via ID.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name Delinea support
URL https://delinea.com/support
Email support@delinea.com
Connector Metadata
Publisher Delinea, Inc.
Website https://www.delinea.com
Privacy Policy https://delinea.com/privacy-policy
Categories Security

Delinea Secret Server is a privileged access management solution that is quickly deployable and easily managed. With the use of this connector, you can discover and get your privileged accounts details in Microsoft Power Automate.

Prerequisites

You will need the following to proceed: • A Delinea Secret Server installed • Secret Server application account • An Azure subscription. • The Power platform CLI tools. • Python should be installed

How to get credentials

In order to use this connector you will need Delinea Secret Server admin access rights to create application account. This can be done by login to application click on Admin > User Management section. Refer

Get started with your connector

Since the connector uses OAuth as authentication type, we first need to install custom connector. This connector will be used to get the authorization token required to invoke rest APIs used by the connector on user's behalf. After this setup, you can create and test the connector.

Follow the steps below:

  1. Login to Microsoft Power Automate using portal(https://powerautomate.microsoft.com/en-us/),

  2. Create Secret in Secret Server and share secret for App Account. refer

  3. Install paconn by running

pip install paconn

If you get errors saying 'Access is denied', consider using the --user option or running the command as an Administrator (Windows).

  1. Configure connector

a. Open “Custom connector”. b. Enter base URL without schema (ex. http:// or https ://) c. And click on “Create”.

Known issues and limitations

The connector is currently working up to Secret Server version 11.2.00000

Common errors and remedies

• “The API receives an invalid response “.

: Check the credentials of application account created in Secret Server.

• “Action 'Get_secret' failed”

Verify the secret id entered.

• “API_AccessDenied”

Check the secret is having the permission of application account in Secret Server.

FAQ

Q. Do I need a paid version of Delinea Secret Server to utilize the connector? A: No, you can test it during the trial period too.

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Base URL to Secret Server string Enter base URL for Secret Server True

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Get secret

Get a single secret by ID

Get secret template

Get a single secret template by ID

Retrieve or Refresh Access Token

Retrieve an access token for use with other API requests or refresh an access token.

Get secret

Get a single secret by ID

Parameters

Name Key Required Type Description
Secret ID
id True integer

Secret ID for get secret object

Authorization
Access-Token True string

Bearer

Returns

Secret

Get secret template

Get a single secret template by ID

Parameters

Name Key Required Type Description
Template ID
id True integer

Get template secret by Id

Authorization
Access-Token True string

Bearer

Returns

Template to define the secret.

Retrieve or Refresh Access Token

Retrieve an access token for use with other API requests or refresh an access token.

Parameters

Name Key Required Type Description
Authentication grant type.
grant_type True string

Authentication grant type. Use 'password' when authenticating, and 'refresh_token' when refreshing a token.

Username for access to Secret Server
username True string

Secret Server authentication username. Required when authenticating.

Password for access to Secret Server
password True string

Secret Server authentication password. Required when authenticating

Returns

API access token response

Definitions

TokenResponse

API access token response

Name Path Type Description
access_token
access_token string

Authentication token

token_type
token_type string

Authentication token type

expires_in
expires_in integer

Authentication token expiration time, in seconds

refresh_token
refresh_token string

Refresh token. This is only provided when the server is set to allow refresh tokens for web services and when the session timeout duration is not set to Unlimited.

SecretModel

Secret

Name Path Type Description
accessRequestWorkflowMapId
accessRequestWorkflowMapId integer

Id of the assigned access request workflow.

active
active boolean

Whether the secret is active

allowOwnersUnrestrictedSshCommands
allowOwnersUnrestrictedSshCommands boolean

Whether Secret Owners are subject to SSH Command Restrictions, if enabled.

autoChangeEnabled
autoChangeEnabled boolean

Whether Automatic Remote Password Changing is enabled.

autoChangeNextPassword
autoChangeNextPassword string

Next Password to be used for Remote Password Changing.

checkedOut
checkedOut boolean

Whether the secret is currently checked out

checkOutChangePasswordEnabled
checkOutChangePasswordEnabled boolean

Whether to initiate a password change when the secret is checked in.

checkOutEnabled
checkOutEnabled boolean

Whether secret checkout is enabled

checkOutIntervalMinutes
checkOutIntervalMinutes integer

Checkout interval, in minutes

checkOutMinutesRemaining
checkOutMinutesRemaining integer

Minutes remaining in current checkout interval

checkOutUserDisplayName
checkOutUserDisplayName string

Name of user who has checked out the secret

checkOutUserId
checkOutUserId integer

ID of user who has checked out the secret

doubleLockId
doubleLockId integer

Id of the DoubleLock configuration for this secret.

enableInheritPermissions
enableInheritPermissions boolean

Whether to inherit permissions from the parent folder (true), or use explicit permissions.

enableInheritSecretPolicy
enableInheritSecretPolicy boolean

Whether the secret policy is inherited from the containing folder

failedPasswordChangeAttempts
failedPasswordChangeAttempts integer

Number of failed password change attempts

folderId
folderId integer

Containing folder ID

id
id integer

Secret ID

isDoubleLock
isDoubleLock boolean

Whether double lock is enabled

isOutOfSync
isOutOfSync boolean

Out of sync indicates that a Password is setup for autochange and has failed its last password change attempt or has exceeded the maximum RPC attempts

isRestricted
isRestricted boolean

Whether the secret is restricted

items
items array of RestSecretItem

Secret data fields

lastHeartBeatCheck
lastHeartBeatCheck date-time

Time of last heartbeat check

lastHeartBeatStatus
lastHeartBeatStatus HeartbeatStatus

Current status of heartbeat

lastPasswordChangeAttempt
lastPasswordChangeAttempt date-time

Time of most recent password change attempt

launcherConnectAsSecretId
launcherConnectAsSecretId integer

Id of the secret used for the Connect As Commands feature.

name
name string

Secret name

outOfSyncReason
outOfSyncReason string

Reason message if the secret is out of sync

passwordTypeWebScriptId
passwordTypeWebScriptId integer

Id of the Web Password Changer script to use for Web Password Changing.

proxyEnabled
proxyEnabled boolean

Whether to use the Proxy service for launchers on this secret, if available.

requiresApprovalForAccess
requiresApprovalForAccess boolean

Whether a workflow approval process is required to access this secret.

requiresComment
requiresComment boolean

Whether a comment is required to access this secret.

responseCodes
responseCodes array of string

Reasons that the user may not be able to retrieve the secret.

restrictSshCommands
restrictSshCommands boolean

Whether proxied launchers are subject to SSH Command Restrictions.

secretPolicyId
secretPolicyId integer

Id of the Secret Policy applied to this Secret.

secretTemplateId
secretTemplateId integer

Id of the template defining this Secret.

secretTemplateName
secretTemplateName string

Name of secret template

sessionRecordingEnabled
sessionRecordingEnabled boolean

Whether session recording is enabled

siteId
siteId integer

Id of the Site to which this Secret belongs.

webLauncherRequiresIncognitoMode
webLauncherRequiresIncognitoMode boolean

Whether web launchers will open an incognito browser session when launching this secret.

RestSecretItem

Secret data field item

Name Path Type Description
fieldDescription
fieldDescription string

Longer description of the secret field.

fieldId
fieldId integer

The id of the field definition from the secret template.

fieldName
fieldName string

The display name of the secret field.

fileAttachmentId
fileAttachmentId integer

If the field is a file attachment field, the id of the file attachment.

filename
filename string

If the field is a file attachment field, the name of the attached file.

isFile
isFile boolean

Whether the field is a file attachment.

isList
isList boolean

Whether or not the secret field is a list.

isNotes
isNotes boolean

Whether the field is represented as a multi-line text box. Used for long-form text fields.

isPassword
isPassword boolean

Whether the field is a password. Password fields are hidden by default in the UI and their value is not returned in GET calls that return secrets. To retrieve a password field value, make a GET call to /api/secrets/{secretId}/fields/{slug}.

itemId
itemId integer

The id of the secret field item. Leave empty when creating a new secret.

itemValue
itemValue string

The value of the secret field item. For list fields, this is a comma-delimited list of the list id guids that are assigned to this field.

listType
listType SecretFieldListType

The type of list. Valid values are “None”, “Generic”, and “URL”.

slug
slug string

A unique name for the secret field on the template. Slugs cannot contain spaces and are used in many places to easily refer to a secret field without having to know the field id.

HeartbeatStatus

Current status of heartbeat

Current status of heartbeat

SecretFieldListType

The type of list. Valid values are “None”, “Generic”, and “URL”.

The type of list. Valid values are “None”, “Generic”, and “URL”.

SecretTemplateModel

Template to define the secret.

Name Path Type Description
fields
fields array of ISecretTemplateField

Secret template fields

id
id integer

Secret template ID

name
name string

Secret template name

passwordTypeId
passwordTypeId integer

Id of the Remote Password Changing configuration used by this Template.

ISecretTemplateField

Secret template fields

Name Path Type Description
description
description string

Description

displayName
displayName string

Display Name of this field.

editablePermission
editablePermission integer

Type of permission level required to edit this field.

editRequires
editRequires EditRequiresOptions

Reasons that the user may not be able to retrieve the secret.

fieldSlugName
fieldSlugName string

Web-compatible name for this Secret Field. This name will be used for API calls.

generatePasswordCharacterSet
generatePasswordCharacterSet string

Id of character set to use when generating a value for this field.

generatePasswordLength
generatePasswordLength integer

Length of value to generate for this field.

hideOnView
hideOnView boolean

Whether to display this field in a view context.

historyLength
historyLength integer

Length of the history stored for this field.

isExpirationField
isExpirationField boolean

Whether Secret Expiration is based on this field.

isFile
isFile boolean

Whether this field represents a File Attachment.

isIndexable
isIndexable boolean

Whether this field will be indexed for search.

isList
isList boolean

Whether this field is a List field.

isNotes
isNotes boolean

Whether this field is a Notes field.

isPassword
isPassword boolean

Whether this field is a Password field.

isRequired
isRequired boolean

Whether population of this field is required for the secret to be valid.

isUrl
isUrl boolean

Whether this is a field is a URL field.

listType
listType ListType

Type of List to map to this field.

mustEncrypt
mustEncrypt boolean

Whether this field is encrypted within the Database.

name
name string

Name

passwordRequirementId
passwordRequirementId integer

Id of the Password Requirement associated with this field.

passwordTypeFieldId
passwordTypeFieldId integer

Id of the Password Type for Web Password Automatic Password Changing.

secretTemplateFieldId
secretTemplateFieldId integer

Id of the Field definition on which this Field is based.

sortOrder
sortOrder integer

Order in which this field is displayed when viewing the Secret.

EditRequiresOptions

Reasons that the user may not be able to retrieve the secret.

Reasons that the user may not be able to retrieve the secret.

ListType

Type of List to map to this field.

Type of List to map to this field.