This is unreleased documentation for Rasa & Rasa Pro Documentation Main/Unreleased version.
For the latest released documentation, see the latest version (3.x).
You can store your assistant's secrets in an external credentials manager. Rasa Pro currently supports credentials manager for the Tracker Store
Rasa Pro License
You'll need a license to get started with Rasa Pro. Connect with a Rasa expert
Not sure if you need Rasa Pro yet? Try it for free
Available in Rasa Pro from 3.5.0
Rasa Pro supports the following secrets managers:
Currently, Rasa Pro supports safeguarding credentials for the following services:
HashiCorp Vault Secrets Manager
Use Vault Secrets Manager to store credentials used to authenticate access to external services. The credentials are stored in a Vault instance and can be encrypted at rest. To store credentials in a Vault instance, you can read the official Vault docs Storing secrets in Vault.
You can also encrypt credentials at rest with Vault Transit Engine.
Expiring tokens need to be renewed periodically, and the renewal process is done over the network, Rasa Pro will try to renew the token 15 seconds before it expires. If the token's time-to-live (TTL) is less than 15 seconds, we will try to renew it after 1 second, but it might fail due to network latency.
Rasa Pro has a built-in retry mechanism for renewing the token.
If the token is not renewed successfully it will be considered expired and Rasa Pro will not be able to access the secrets. You will need to create a new renewable token and restart Rasa Pro with new token.
Rasa Pro can authenticate to Vault through Token authentication.
non-expiring (so called, root tokens) tokens are supported.
Rasa Pro will automatically renew the token if it is expiring.
How to configure access to Vault
Access to Vault secrets manager can be configured with environment variables
endpoints.yml configuration file.
Environment variables and
endpoints.yml configuration file are merged together
and the values from the environment variables take precedence.
The following environment variables are available:
|Required. The secrets manager to use. Currently only "vault" is supported|
|Required. The address of the vault server|
|Required. token to authenticate to the vault server|
|Path to the secrets in the vault server|
|If transit secrets engine is enabled, set this to mount point of the transit engine|
To configure the Vault secrets manager, you can fill the following section in
Store access credentials in environment variables
A simple example on how to combine environment variables and
endpoints.yml configuration file
would be to store access token in the environment variable and the rest of the configuration
How to configure Tracker Store with Vault Secrets Manager
Configure Rasa to access the Vault instance
Checkout the How to configure access to Vault section for more details.
Configure Rasa to use the Vault secrets manager to fetch credentials for the tracker storetracker_store:type: SQLurl: localhost:5432username:source: secrets_manager.vaultsecret_key: sql_store_usernamepassword:source: secrets_manager.vaultsecret_key: sql_store_password