notice
This is unreleased documentation for Rasa Documentation Main/Unreleased version.
For the latest released documentation, see the latest version (3.x).
Secrets Managers
You can store your assistant's secrets in an external credentials manager. Rasa Pro currently supports credentials manager for the Tracker Store
Rasa Pro License
You'll need a license to get started with Rasa Pro. Talk with Sales
Available in Rasa Pro from 3.5.0
Rasa Pro supports the following secrets managers:
Currently, Rasa Pro supports safeguarding credentials for the following services:
HashiCorp Vault Secrets Manager
Use Vault Secrets Manager to store credentials used to authenticate access to external services. The credentials are stored in a Vault instance and can be encrypted at rest. To store credentials in a Vault instance, you can read the official Vault docs Storing secrets in Vault.
You can also encrypt credentials at rest with Vault Transit Engine.
note
Expiring tokens need to be renewed periodically, and the renewal process is done over the network, Rasa Pro will try to renew the token 15 seconds before it expires. If the token's time-to-live (TTL) is less than 15 seconds, we will try to renew it after 1 second, but it might fail due to network latency.
Rasa Pro has a built-in retry mechanism for renewing the token.
If the token is not renewed successfully it will be considered expired and Rasa Pro will not be able to access the secrets. You will need to create a new renewable token and restart Rasa Pro with new token.
Authentication
Rasa Pro can authenticate to Vault through Token authentication.
Both expiring
and non-expiring
(so called, root tokens) tokens are supported.
Rasa Pro will automatically renew the token if it is expiring.
How to configure access to Vault
Access to Vault secrets manager can be configured with environment variables
and through endpoints.yml
configuration file.
Environment variables and endpoints.yml
configuration file are merged together
and the values from the environment variables take precedence.
New in 3.7
Vault namespaces can be used to isolate secrets. You can
configure a namespace with the VAULT_NAMESPACE
environment variable or the namespace
key in secrets_manager
section of the endpoints.yml
file.
To learn more about namespaces,
check out the Vault namespaces docs.
The following environment variables are available:
Environment Variable | Description | Default |
---|---|---|
SECRET_MANAGER | Required. The secrets manager to use. Currently only "vault" is supported | vault |
VAULT_HOST | Required. The address of the vault server | |
VAULT_TOKEN | Required. token to authenticate to the vault server | |
VAULT_RASA_SECRETS_PATH | Path to the secrets in the vault server | rasa-secrets |
VAULT_TRANSIT_MOUNT_POINT | If transit secrets engine is enabled, set this to mount point of the transit engine | |
VAULT_NAMESPACE | If namespaces are used, set this to the path of the namespace |
To configure the Vault secrets manager, you can fill the following section in endpoints.yml
file:
Store access credentials in environment variables
A simple example on how to combine environment variables and endpoints.yml
configuration file
would be to store access token in the environment variable and the rest of the configuration
in the endpoints.yml
file.
How to configure Tracker Store with Vault Secrets Manager
Configure Rasa to access the Vault instance
Checkout the How to configure access to Vault section for more details.
Configure Rasa to use the Vault secrets manager to fetch credentials for the tracker store
tracker_store:type: SQLurl: localhost:5432username:source: secrets_manager.vaultsecret_key: sql_store_usernamepassword:source: secrets_manager.vaultsecret_key: sql_store_password