Credentials Management
This page describes the credentials management feature in xAssets. Credential packs store usernames, passwords, and connection details used by discovery agents, cloud integrations, and data transformations. The credentials management screen is accessible from the Settings menu.
Prerequisites
- Administrator access to xAssets
- Understanding of which discovery agents or integrations require credentials
- Knowledge of the service accounts or API credentials used by your organisation for automated processes
What Are Credential Packs?
A credential pack is a named set of authentication details stored securely within xAssets. Rather than embedding usernames and passwords directly into discovery configurations or transformation scripts, you create a credential pack and reference it by name. This centralises credential management and makes it easy to update credentials when passwords change -- you update the pack in one place, and all configurations that reference it automatically use the new credentials.
Accessing Credentials Management
Navigate to Discover > Prepare > Credentials (the menu path may vary depending on your profile configuration).
The credentials list shows all credential packs in the system:
| Column | Description |
|---|---|
| Name | The display name for the credential pack (e.g., "AD Service Account", "Azure Integration") |
| Type | The type of credential (e.g., Windows, Azure, API Key, SSH) |
| Username | The username or account identifier (passwords are never displayed) |
| Used By | Indicates which discovery agents or integrations reference this pack |
Creating a Credential Pack
- From the credentials list, click New.
- Enter a Name that clearly identifies the purpose of these credentials (e.g., "Production AD Discovery", "Azure Subscription - Finance").
- Select the Type of credential:
| Type | Use Case | Fields |
|---|---|---|
| Windows | Windows domain service accounts for WMI discovery, Active Directory queries | Domain, Username, Password |
| Azure | Azure AD/Entra ID integration, Azure resource discovery | Tenant ID, Client ID, Client Secret |
| AWS | Amazon Web Services integration | Access Key ID, Secret Access Key, Region |
| Google Cloud | Google Cloud Platform integration | Service Account JSON key |
| SSH | Linux/Unix discovery via SSH | Username, Password or Private Key |
| API Key | Generic API integrations | Key, Secret |
| Database | Direct database connections for transformations | Server, Database, Username, Password |
- Enter the required authentication details for the selected type.
- Save the credential pack.
Warning: Credential pack passwords and secrets are encrypted at rest in the xAssets database. However, any user with administrator access can edit a credential pack and change its password. Limit administrator access to trusted personnel.
Editing a Credential Pack
- Open the credential pack from the credentials list.
- Modify the fields as needed.
- To change the password, enter the new password in the Password field. Leave it blank to keep the existing password.
- Save the record.
Tip: When a service account password is changed in Active Directory or a cloud provider, immediately update the corresponding credential pack in xAssets. If the pack is not updated, discovery jobs and integrations using that pack will fail on their next run.
Using Credential Packs
Credential packs are referenced in the following areas:
Discovery Configuration
When configuring a discovery agent (WMI, SSH, or network discovery), you select a credential pack from a dropdown rather than entering credentials directly:
- Navigate to the discovery configuration screen.
- In the Credentials field, select the appropriate credential pack.
- The discovery agent will use the credentials from the selected pack when connecting to target systems.
Cloud Integrations
Built-in integrations for Azure, AWS, Google Cloud, Intune, and other cloud services reference credential packs for authentication:
- Navigate to the integration configuration.
- Select the credential pack that contains the cloud provider credentials.
- The integration uses the pack's credentials for API authentication.
Transformations
AMSX transformation scripts can reference credential packs when making external connections:
- HTTP operations use credential packs for authenticated API calls
- Database source connections can reference a credential pack for the connection details
Revoking Credentials
To prevent a credential pack from being used:
- Open the credential pack.
- Change the password to an invalid value, or delete the credential pack.
- Any discovery jobs or integrations that reference the pack will fail on their next run.
Important: Before deleting a credential pack, check the "Used By" information to understand which configurations will be affected. Update those configurations to use a different pack before deleting.
Security Best Practices
| Practice | Rationale |
|---|---|
| One pack per purpose | Create separate credential packs for different services. If one set of credentials is compromised, only that integration is affected. |
| Descriptive names | Name packs clearly (e.g., "AD Discovery - London" rather than "Creds 1") so administrators can identify their purpose. |
| Regular rotation | Update passwords in credential packs whenever the underlying service account passwords are rotated. |
| Minimum privileges | Use service accounts with the minimum permissions required. Discovery accounts should have read-only access to the target systems. |
| Audit regularly | Review the credentials list periodically. Remove packs that are no longer in use. |
| Restrict admin access | Only administrators can view and edit credential packs. Limit the number of users with administrator access. |
Migrating from Legacy Credential Storage
In earlier versions of xAssets, credentials were stored directly in discovery configurations and transformation scripts. The centralised credentials management screen consolidates all credentials into one location. To migrate:
- Identify all discovery configurations and transformations that contain embedded credentials.
- Create credential packs for each unique set of credentials.
- Update the discovery configurations and transformations to reference the new credential packs.
- Remove the embedded credentials from the original configurations.
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| Discovery job fails with "access denied" | Password in credential pack is incorrect or expired | Update the password in the credential pack to match the current service account password. |
| Integration returns "authentication failed" | Cloud credentials (Client Secret, API key) have been rotated | Update the credential pack with the new credentials from the cloud provider. |
| Cannot find the credentials screen | Menu path may differ by profile | Check under Admin > Settings, or ask your administrator for the correct menu location. |
| "Credential pack in use" error when deleting | One or more configurations reference the pack | Update those configurations to use a different pack before deleting. |
Related Articles
- Settings -- the settings area where credentials management is accessed
- Users -- managing user accounts (distinct from service account credentials)
- Amazon Web Services -- AWS integration using credential packs
- Azure Direct Integration -- Azure integration using credential packs
- Google Cloud -- Google Cloud integration using credential packs