Requiring users to use secrets for credentials when creating connections

When a user creates a connection, they can provide their credentials by entering them directly or by specifying a secret. A Red Hat® OpenShift® administrator can configure Cloud Pak for Data to enforce the exclusive use of secrets from an external vault (such as CyberArk or HashiCorp).

Permissions that you need for this task
You must have the following permissions to restrict user access to connections with external vault secrets.
  • Administrator of the Red Hat OpenShift project (namespace) where Cloud Pak for Data is installed.
When you need to complete this task
You can complete this task anytime after Cloud Pak for Data is installed.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

A Red Hat OpenShift project (namespace) administrator can edit the config-wdp-connect-connection configuration map to set allow-only-vaulted-credentials to true.

Procedure

  1. Log in to your Red Hat OpenShift cluster as a project administrator. 
    oc login ${OCP_URL}
  2. Change to the project where Cloud Pak for Data is installed. 
    oc project ${PROJECT_CPD_INSTANCE}
  3. Run the following command to edit the Cloud Pak for Data config-wdp-connect-connection file. 
    oc edit configmap config-wdp-connect-connection
  4. Change the allow-only-vaulted-credentials parameter value to true (the default value is false). 
    allow-only-vaulted-password: "true"
  5. Save your changes and exit. For example, if you are using vi, hit esc and enter :wq.
  6. Delete the relevant pods: 
    oc delete pods -l app=wdp-connect-connection
oc delete pods -l app=wdp-connect-connector
  7. Verify that the pods return and are running: 
    oc get pods -l app=wdp-connect-connection
oc get pods -l app=wdp-connect-connector

Results

Cloud Pak for Data is configured for the exclusive use of external vault secrets for connections.