Using secrets from vaults in connections
For enhanced security, you can use secrets that are stored in a vault for credentials and for SSL certificates.
In connections, a secret contains sensitive data, such as a password or an API key that provides access to a data source. Secrets are stored in a vault, which is a secure platform-level repository or a secure external repository. From the Create connection page, you can add a vault and secrets for accessing data sources.
In Cloud Pak for Data for most services, secrets can be used only for connections with personal credentials. For exceptions that allow you to use shared credentials in a secret in a vault, see Tools that support shared credentials.
In the Create connection page, under the Credentials section, select Use secrets from a vault.
- Prerequisites
- Adding a vault
- Adding a secret to a vault
- Using a secret for the connection
- Migrating connections from an earlier version of Cloud Pak for Data
- Enforced vault and secrets
Prerequisites
- The administrator must enable the Cloud Pak for Data internal vault or set up an integration with an external vault.
- A secret must be shared with you by another user or the administrator must grant you the Add vault permission so that you can add a vault and secrets.
- The service must support secrets. See Services that support connections that use secrets from vaults.
For administration instructions, see:
Adding a vault
If you have not already added a secret or no secrets have been shared with you by another user, the Add a vault button is displayed. Click Add a vault and follow the wizard. When you add a vault, you must add at least one secret. When you return to the Create connection page, click the Reload link. The secrets that you added to the vault are now available to you.
Adding a secret to a vault
If you have access to a vault, the Add a secret button is displayed. Click Add a secret to select the vault and create the secret.
Using a secret for the connection
The secrets that are available to you in the Create connection page are secrets that you own (you added them to a vault) or secrets that are shared with you by another user. You see the display name for the secret, but not the contents of the secret.
In the Create connection page, for each field, select the secret and its value for that field. If you use a secret for credentials, you must use a secret for each credential field.
For SSL certificates, select Port is SSL-enabled. SSL certificates can have their own secrets so you can use secrets for credentials, SSL certificates, or both.
Migrating connections from an earlier version of Cloud Pak for Data
If you are migrating from an earlier version of Cloud Pak for Data, existing connections will continue to use the plain text entries (Enter credentials manually). You can edit connections with personal connections and change them to use secrets. If you have connections with shared credentials, you must re-create them if you want to use secrets.
Enforced vault and secrets
An administrator can set a policy that requires all connections to use an external vault and secrets for credentials and SSL certificates. In this case, plain text entries will not be available in the user interface. The administrator task is Requiring users to use secrets for credentials when creating connections.
Parent topic: Adding connections to projects