Secrets in Code

You can use the Secret object in your JSON code when you do not want to expose confidential information in the source—for example, the Password field in a connection profile. The value of the secret is obtained from a vault and is resolved during deployment.

You can save secrets in the following vault types:

Control-M Vault Secrets

The following syntax is used to reference a secret stored in a Control-M vault:

"<parameter>" :  {"Secret": "<secret name>"}

You can use secrets in code, as follows:

    "Type": "ConnectionProfile:Hadoop",
    "Hive": {
        "Host": "hiveServer",
        "Principal": "a@bc",
        "Port": "1024",
        "User": "emuser",
        "Password": {"Secret": "hive_dev_secret"}

For information about managing secrets of this type, see Secrets Configuration.

External Vault Secrets

The following example shows the syntax of references to secrets stored in an external CyberArk vault. You can use these secrets in password-type fields in File Transfer connection profiles or in connection profiles for plug-ins developed in Control-M Application Integrator (including Control-M Integrations developed by BMC). Secrets from an external vault are supported only in centralized connection profiles.

This feature requires Control-M/EM or higher.

This example shows an Application Integrator connection profile with two types of CyberArk secrets.

    "NEW-CCP": {
        "Type": "ConnectionProfile:ApplicationIntegrator:AI ainew",
        "Description": "",
        "Centralized": true,
        "AI-RunAs-Pass": {
            "Secret": {
                "Type": "Secret:CyberArkVault:Basic",
                "AppID": "finance",
                "Safe": "financeDept",
                "Folder": "Root",
                "Object": "oracleSalaryService",
                "Reason": "I need it to export salaries for VP"
        "AI-Run As": "",
        "AI-mysecret": {
            "Secret": {
                "Type": "Secret:CyberArkVault:QueryBased",
                "AppID": "finance",
                "Query": "Safe=finDep;title=Sr;Department=IT",
                "Reason": "I need to build a report on salaries from IT"

The following table lists the parameters of a secret, which enable Control-M Automation API to locate and retrieve the secret from the external vault:






Determines one of the following vault types and/or methods to locate and retrieve the secret:

  • Secret:CyberArkVault:Basic: Defines default CyberArk parameters

  • Secret:CyberArkVault:QueryBased: Enables you to include additional CyberArk parameters


  • Secret:CyberArkVault:Basic

  • Secret:CyberArkVault:QueryBased

Defines the unique ID of the application that issues the password request.

Maximum length: 128



Defines the name of the CyberArk Safe where the password is stored.

Maximum length: 28



Defines the name of the folder where the password is stored.

Maximum length: 160

Default: Root



Defines the name of the password object to retrieve.

Maximum length: 165



Defines a query for the location and retrieval of the secret. This query enables you to include additional CyberArk properties.

Maximum length: 2048 characters

The query has the following format:

  • The query must uniquely define a single secret.

  • For more information about properties that you can include in the query, see CyberArk Documentation.

  • Properties and values are subject to CyberArk restrictions.

  • The query format is Exact. Regular expressions are not supported.


  • Secret:CyberArkVault:Basic

  • Secret:CyberArkVault:QueryBased

Defines the reason for the request.

Maximum length: 344