[Feature]: Integrate External Credential Providers for Secure Datasource Configuration

[LagunaElectric]

Is there an existing issue for this?

• I have searched the existing issues

Summary

I would like to request the integration of external credential providers, such as AWS Secret Manager and HashiCorp Vault, into Appsmith. This feature would allow users to supply datasource credentials directly through these secure external services without having to manually enter sensitive information into the Appsmith UI.

Use Case

Currently, entering credentials for datasources within Appsmith requires inputting sensitive information directly into the platform. By integrating with these services, Appsmith can enhance security by:

• Minimizing the exposure of sensitive credentials.
• Leveraging industry-standard secret management tools that are already in use within organizations.
• Automating credential rotation and management.

Possible Implementation

The implementation could involve:

• Adding support in the Appsmith backend to fetch credentials from specified secret managers.
• Extending the UI to allow users to configure the connection to these external services, specifying which secret manager to use and the necessary access details.
• Dynamic fetching of credentials at runtime, ensuring that datasource configurations are always up to date with the latest credentials as managed by the secret managers.

Why should this be worked on?

This feature would significantly increase the security posture of applications built on Appsmith by ensuring that sensitive credentials are not exposed within the platform and are managed through a centralized, secure mechanism. It would also make Appsmith a more attractive option for enterprise environments where strict security compliance standards are necessary.

Additional Context

Many organizations already use tools like AWS Secret Manager and HashiCorp Vault for their internal applications and would benefit from seamless integration with Appsmith for managing application configurations and credentials.

[LagunaElectric]

Related issues:

• [Feature]: Configure datasource credentials with Hashicorp Vaults #33362
• [Feature]: Allow configuring datasource credentials with AWS Secrets Manager #28414

[Nikhil-Nandagopal]

@LagunaElectric We already have this feature open so I don't see you opened a new one

[LagunaElectric]

@Nikhil-Nandagopal The other two requests are for specific platforms, and I created this after the Hashicorp request because I think it would be better to support external providers in general. I think this issue is more robust because it would pave the way to allow any external provider we choose to support such as Doppler, Cyberark, Azure Key Vault, etc. In my mind I imagined this issue as an Epic with those two existing feature requests as the first two integrations.

I can imagine a checkbox or toggle during datasource configuration to decide wether to enter credentials manually or use an external provider. If they choose to use a provider they would be able to select one from a dropdown and configure it with their datasource. Maybe they can connect to their secrets managers at the workspace level, and then reference those connections in their datasource configurations.

[Nikhil-Nandagopal]

We have a general request here #7454 so there isn't a need for a new one. I think we're covered and we'll figure out the right solution