Managing secrets and vaults

Cloud Pak for Data includes an internal vault that you can use to store secrets. You can also connect to external vaults where you already store sensitive information as secrets. You can use the secrets in Cloud Pak for Data. For example, you can use secrets when you create connections to ensure that your credentials are secure and encrypted.

Overview of secrets and vaults

A secret contains sensitive data, such as a username and password or an API key. A vault is a secure place to store and manage secrets. Using vaults and secrets is more secure than plain-text entry. You can use secrets to store a variety of information, such as:
  • Usernames and passwords
  • SSL certificates
  • API keys
  • Authentication tokens

By default, Cloud Pak for Data includes an internal vault that you can use to store secrets. The vault is only accessible through the Credentials and Secrets API unless a Red Hat® OpenShift® project (namespace) administrator enables the vaults interface in the web client. For more information, see Enabling vaults for the Cloud Pak for Data web client.

After the administrator enables the vaults interface in the web client, you can also connect to external vaults. When you connect to an external vault, you can specify the secrets that you want to use in Cloud Pak for Data. Secrets are not directly managed through Cloud Pak for Data services; secrets are stored in the external vault and are managed through the external vault interface. When a user has the appropriate authorization or permission, Cloud Pak for Data connections or services can retrieve secrets from the external vault by using the external vault’s Credentials and Secrets API.

Important: Cloud Pak for Data connections and services can retrieve secrets from the external vault only on behalf of an authorized user.
You can use secrets when you create connections to external data sources and services. Secrets offer several advantages over traditional plain-text entry:
  • The information in the secret is stored in a secure and encrypted environment that conforms to your organization's policies.
  • The services and connections that use the secret do not have direct access to the information in the secret.
  • The information in the secret can be updated once and the change is automatically picked up by all services or connections that use the secret.

Services that support connections that use secrets from vaults

When you create a platform connection, you can use secrets to specify the required credentials for the connection. The following services support connections that use secrets instead of plain-text credentials:

  • Data Virtualization
  • Decision Optimization
  • Execution Engine for Apache Hadoop
  • OpenPages®
  • Watson™ Knowledge Catalog
  • Watson Studio
    Note: For Watson Studio, only Jupyter Notebooks support connections using secrets from vaults.
  • Watson Studio Runtimes
For more information about using secrets and vaults in connections, see Using secrets from vaults in connections.

Services that support vaults, but do not support connections that use secrets from vaults

  • Common core services

Permissions for working with secrets and vaults

The information that you see and the tasks that you can perform when you work with secrets and vaults depend on your permissions. Permissions are assigned to users through roles. The following permissions deal with secrets and vaults:
  • Add vault
  • Manage secrets and vaults
  • Share secrets

For more information, see Predefined roles and permissions.

External vaults

Secrets are created in the external vault and you configure integrations between the external vault and Cloud Pak for Data, which authorizes the vault for use when you connect to Cloud Pak for Data services. You can integrate Cloud Pak for Data with the following types of external vaults:
CyberArk Application Access Manager (CyberArk AAM)
When you integrate with CyberArk vaults, you can add secrets to store username and password credentials and keys. For more information about CyberArk vaults, see the CyberArk documentation.
HashiCorp
When you integrate with HashiCorp vaults, key value secrets are created. To store secrets in the required formats (such as credentials, keys, tokens, SSL certificates, and custom), specific fields must be added when secrets are stored. For more information about HashiCorp vaults, see the HashiCorp Vault documentation.

Internal vault

The Cloud Pak for Data platform includes an internal vault that you can use to store, retrieve and manage your credentials, tokens, or certificates. Data that is stored in this vault is encrypted securely. You can use the internal vault to store secrets in one place and reference those secrets in many places, and you can share, and reuse the secrets. This vault can be a substitute for external vaults. When you use the internal vault, you configure the vault secrets and store the contents of the secrets, such as credentials.

By default, the internal vault is available only through the Credentials and Secrets API after Cloud Pak for Data is installed. For more information, see Managing secrets with the Credentials and Secrets API. You can enable vaults in the Cloud Pak for Data web client after Cloud Pak for Data is installed. You can disable the internal vault for the Cloud Pak for Data web client at any time. You can add secrets to the internal vault to store username and password credentials and keys, and you can create custom secrets.

When the internal vault is enabled and a user has no vault-related permissions, the user can still add secrets to the internal vault and use or reference those secrets on the platform. The vaults and secrets page in Administration > Configurations is intended for all platform users. Users can review the vaults and secrets page to determine the vaults and secrets to which they have access.