Version: Main/Unreleased

Secrets Managers

You can store your assistant's secrets in an external credentials manager. Rasa Pro currently supports credentials manager for the Tracker Store

Rasa Pro Only
Rasa Pro License

You'll need a license to get started with Rasa Pro. Talk with Sales

Available in Rasa Pro from 3.5.0

Rasa Pro supports the following secrets managers:

Currently, Rasa Pro supports safeguarding credentials for the following services:

HashiCorp Vault Secrets Manager

Use Vault Secrets Manager to store credentials used to authenticate access to external services. The credentials are stored in a Vault instance and can be encrypted at rest. To store credentials in a Vault instance, you can read the official Vault docs Storing secrets in Vault.

You can also encrypt credentials at rest with Vault Transit Engine.

note

Expiring tokens need to be renewed periodically, and the renewal process is done over the network, Rasa Pro will try to renew the token 15 seconds before it expires. If the token's time-to-live (TTL) is less than 15 seconds, we will try to renew it after 1 second, but it might fail due to network latency.

Rasa Pro has a built-in retry mechanism for renewing the token.

If the token is not renewed successfully it will be considered expired and Rasa Pro will not be able to access the secrets. You will need to create a new renewable token and restart Rasa Pro with new token.

Authentication

Rasa Pro can authenticate to Vault through Token authentication.

Both expiring and non-expiring (so called, root tokens) tokens are supported. Rasa Pro will automatically renew the token if it is expiring.

How to configure access to Vault

Access to Vault secrets manager can be configured with environment variables and through endpoints.yml configuration file.

Environment variables and endpoints.yml configuration file are merged together and the values from the environment variables take precedence.

New in 3.7

Vault namespaces can be used to isolate secrets. You can configure a namespace with the VAULT_NAMESPACE environment variable or the namespace key in secrets_manager section of the endpoints.yml file. To learn more about namespaces, check out the Vault namespaces docs.

The following environment variables are available:

Environment VariableDescriptionDefault
SECRET_MANAGERRequired. The secrets manager to use. Currently only "vault" is supportedvault
VAULT_HOSTRequired. The address of the vault server
VAULT_TOKENRequired. token to authenticate to the vault server
VAULT_RASA_SECRETS_PATHPath to the secrets in the vault serverrasa-secrets
VAULT_TRANSIT_MOUNT_POINTIf transit secrets engine is enabled, set this to mount point of the transit engine
VAULT_NAMESPACEIf namespaces are used, set this to the path of the namespace

To configure the Vault secrets manager, you can fill the following section in endpoints.yml file:

secrets_manager:
type: vault # required - the secrets manager to use
token: <token> # required - token to authenticate to the vault server
url: "http://localhost:1234" # required - the address of the vault server
secrets_path: rasa-secrets # path to the secrets in the vault server if not set it defaults to `rasa-secrets`
transit_mount_point: transit # if transit secrets engine is enabled, set this to mount point of the transit engine
namespace: my-namespace # if namespaces are used, set this to the path of the namespace

Store access credentials in environment variables

A simple example on how to combine environment variables and endpoints.yml configuration file would be to store access token in the environment variable and the rest of the configuration in the endpoints.yml file.

# environment variables
VAULT_TOKEN=<token used to authenticate to Vault>
secrets_manager:
type: vault
url: "http://localhost:1234"
secrets_path: rasa-secrets # if not set it defaults to `rasa-secrets`
transit_mount_point: transit # if you have enabled transit secrets engine, and you want to use it
namespace: my-namespace # if namespaces are used, set this to the path of the namespace

How to configure Tracker Store with Vault Secrets Manager

  1. Configure Rasa to access the Vault instance

    Checkout the How to configure access to Vault section for more details.

  2. Configure Rasa to use the Vault secrets manager to fetch credentials for the tracker store

    tracker_store:
    type: SQL
    url: localhost:5432
    username:
    source: secrets_manager.vault
    secret_key: sql_store_username
    password:
    source: secrets_manager.vault
    secret_key: sql_store_password