We currently have an integration between our ServiceNow MID Server and HashiCorp Vault where the MID Server uses the Vault Credential Resolver to authenticate with Vault using a token and retrieve credentials from a configured path. At present, we are using the AD Secrets Engine, and the credential ID configured in ServiceNow points to a path of the format ad/creds/<role_name>, from which the MID Server fetches a username and password for an Active Directory service account to perform discovery and related operations. This setup works as expected and relies on Vault returning credentials in a simple username/password format via a path-based lookup.
However, we are planning to upgrade HashiCorp Vault, and the AD Secrets Engine is being deprecated and will no longer be supported in upcoming versions. As a result, we need to identify an alternative approach that preserves the current integration pattern, particularly the ability for the MID Server to fetch credentials using a Vault path with minimal changes on the ServiceNow side. We evaluated the LDAP Secrets Engine using static roles (ldap/static-cred/<role_name>) as a potential replacement since it appears to provide similar functionality, including returning username and password and supporting password rotation for existing AD accounts. However, during testing of the LDAP Secrets Engine, we encountered errors when attempting to retrieve credentials from the static-cred path, and we are currently unsure whether this approach is the correct long-term replacement or if there are configuration issues causing the failures.