As networks grow more complex, the need for secure, automated infrastructure management becomes increasingly clear. That’s why we’re excited to share a major new enhancement to the NetBox Discovery agent: Secrets Manager, a powerful integration that brings secure credential management into the heart of network discovery.
A Quick Refresher: What is the NetBox Discovery agent?
The NetBox Discovery agent is a lightweight, modular tool purpose-built to assess the operational state of your network and help you detect and manage drift. Whether you run on-prem, in the cloud, or across hybrid environments, the agent seamlessly integrates with NetBox and NetBox Assurance to keep your source of truth accurate and continuously updated with real-time network insights. In practice, this means that as the agent discovers new or changed infrastructure elements, NetBox Assurance can compare these against the existing intended state stored in NetBox. If discrepancies—referred to as operational drift—are detected, users are presented with clear, actionable updates and proposed changes. This integrated workflow makes it easy to identify and resolve unintended or unauthorized changes in the network, helping teams stay in control, improve compliance, and accelerate their journey toward network automation.
Meet Secrets Manager
With the new Secrets Manager, the NetBox Discovery agent can now retrieve credentials from external secret stores—starting with HashiCorp Vault. This eliminates the need to store usernames and passwords in plaintext configuration files, delivering a more secure, flexible, and scalable approach to credential management.
Why We Built It
Credentials are often the most sensitive part of any discovery configuration. Storing them securely is critical to minimizing risk. With Secrets Manager, we’re making it easier to:
- Keep credentials out of static config files.
- Integrate the NetBox Discovery agent with your existing Vault infrastructure.
- Update secrets without restarting or redeploying the agent.
This means better security posture, streamlined operations, and a more compliant approach to network automation.
How It Works
The Secrets Manager configuration is composed of two parts and is designed to be simple and straightforward to set up:
- A global configuration section that defines the backend secrets store (e.g., Vault) and the authentication method used to access it.
- References to individual secrets in the discovery policies.
HashiCorp Vault is the only backend currently supported by Secrets Manager. Secrets must be stored using Vault’s v2 key-value engine, with each secret represented as a dictionary of key-value pairs.
Here’s a sample global configuration that uses Vault:
orb:
secrets_manager:
active: vault
sources:
vault:
address: https://vault.example.com:8200
auth: token
auth_args:
token: ${VAULT_TOKEN} # passed as an environment variableNow you can reference secrets in your policies:
orb:
policies:
device_discovery:
discovery_1:
schedule: "0 * * * *" # Run hourly
scope:
- driver: ios
hostname: 10.1.2.24
username: ${vault://secret/cisco/v8000/username}
password: ${vault://secret/cisco/v8000/password}Built for the Future
While HashiCorp Vault is the first supported backend, the Secrets Manager architecture is designed for extensibility. We’re laying the groundwork to support additional secret stores in future releases—let us know which ones you’d like to see.
Try It Out
Secrets Manager is available now in the latest version of the NetBox Discovery agent. To get started, check out the agent repository and the Secrets Manager Documentation. If you’re already using Vault, it’s a quick win to bring secure secrets management to your network discovery workflows.
What’s Next?
Since we released the NetBox Discovery agent last December, we’ve been on a roll steadily releasing new features such as worker extensions, Git-managed policies and enhanced network discovery. Secrets Manager is part of this broader effort to strengthen the foundations of NetBox Discovery. Stay tuned as we continue to invest in features that make your infrastructure automation more secure, scalable, and resilient.
Stay tuned, and stay secure.
