Skip to main content

Secrets Management

In order to facilitate SSH scanning to a fleet of instances, Mondoo integrates with several vault systems:

  • AWS Secrets Manager
  • AWS SSM Parameter Store
  • Google Cloud Secrets Manager
  • HashiCorp Vault
  • macOS Keychain
  • Windows credential store
  • SystemD Secret Service
  • Encrypted File

Use your desired Vault and Mondoo together to scan all your assets

Set a Vault configuration

Command Line
mondoo vault set aws --type awssecretsmanager
mondoo vault set hashivault --type hashicorp-vault --option url= --option token=yourtoken

Add the Vault Secret Query to your configuration file (mondoo.yml)

name: aws
query: |
if (props.labels['Name'] == 'ssh') {
return {
user: 'ec2-user', type:'private_key', secret_id: 'arn:aws:secretsmanager:REGION:ACCOUNT_ID:secret:vjtest-m7Qfsc'

Reference the Vault when running a scan

Command Line
mondoo scan aws --vault aws