Managing secrets and vaults

Cloud Pak for Data includes an internal vault that you can use to store secrets. You can also connect to external vaults where you already store sensitive information as secrets.

You can use secrets in Cloud Pak for Data when you create connections to ensure that sensitive data, such as credentials, is secure and encrypted.

Overview of secrets and vaults

A secret contains sensitive data. You can use secrets to store a variety of information, such as:

  • Usernames and passwords
  • SSL certificates
  • API keys
  • Authentication tokens

A vault is a secure place to store and manage secrets. Cloud Pak for Data includes an internal vault. If you have a supported enterprise-grade vault, you can also connect to external vaults.

Secrets offer several advantages over traditional plain-text entry:
  • The information in the secret is stored in a secure and encrypted environment that conforms to your organization's policies.
  • The services and connections that use the secret do not have direct access to the information in the secret.
  • The information in the secret can be updated once. The change is automatically picked up by all services or connections that use the secret.

Services that support connections that use secrets from vaults

When you create a platform connection, you can use secrets to specify the required credentials for the connection. The following services support connections that use secrets instead of plain-text credentials:

  • Analytics Engine Powered by Apache Spark
  • Data Privacy
  • Data Refinery
  • DataStage®
  • Db2® Big SQL
  • Decision Optimization
  • IBM® Match 360 with Watson™
  • Informix®
  • OpenPages®
  • RStudio® Server Runtimes
  • SPSS® Modeler
  • Watson Knowledge Catalog
  • Watson Machine Learning Accelerator
  • Watson OpenScale
  • Watson Query
  • Watson Studio
  • Watson Studio Runtimes
Tools that support shared credentials in connections that use secrets from vaults
Most Cloud Pak for Data services require personal credentials if the credentials are stored in a secret. However, the following services and tools allow you to use shared credentials from a secret:
  • Notebooks (Watson Studio).
    You can use shared credentials from a secret when you access connections to load data to a notebook cell by running code that is generated for you.
For more information about using secrets and vaults in connections, see Using secrets from vaults in connections.

Internal vault

By default, Cloud Pak for Data includes an internal vault. However, a cluster administrator or instance administrator can optionally disable the internal vault.

Data that is stored in this vault is encrypted. However, the internal vault is intended primarily for proof-of-concept demonstrations. In production environments, it is strongly recommended that you connect to an enterprise-grade external vault.

What permissions do I need to add secrets to the internal vault?
You do not need any permissions to add secrets to the internal vault. All Cloud Pak for Data users can add secrets to the internal vault.

You can manage your secrets in the internal vault from the Administration > Configurations > Vaults and secrets page. For more information, see Adding secrets to the internal vault.

Note: A user with the Manage vaults and secrets permission can:
  • View the list of secrets (but not the content of the secrets) in the internal vault
  • Delete secrets from the internal vault
What can I store in the internal vault?
You can store the following types of data in a secret in the internal vault:
  • Username and password
  • Key
  • Token
  • SSL Certificate
  • Custom secrets
Can I share my secrets with other users?
By default, you can share secrets with other users. However, a cluster administrator or an instance administrator can optionally disable secret sharing.

External vaults

You can integrate Cloud Pak for Data with the following types of external vaults:
  • CyberArk Application Access Manager (CyberArk AAM)
  • HashiCorp

After you integrate with an external vault, you can specify which secrets in the vault can be used in Cloud Pak for Data. Secrets are created and stored in the external vault. The contents of the secrets are not exposed in Cloud Pak for Data, and the secrets cannot be modified in Cloud Pak for Data. Secrets in an external vault can be managed only through the external vault interface.

Important: Cloud Pak for Data connections and services can retrieve secrets from the external vault only on behalf of an authorized user.
What permissions do I need to use secrets from an external vault?
To integrate Cloud Pak for Data with an external vault or add secrets from an external vault, you must have the Add vaults permission.
Note: A user with the Manage vaults and secrets permission can:
  • View the list of connected vaults
  • View the list of the secrets (but not the content of the secrets) in each vault
  • Remove external vaults
  • Remove secrets added from an external vault
What types of secrets can I use from an external vault?
The type of secrets that you add from an external vault depend on the type of vault that you integrate with:
CyberArk AAM
  • Username and password
  • Key
  • Custom secret

For more information about CyberArk vaults, see the CyberArk documentation.

HashiCorp
  • Username and password
  • Key
  • Token
  • SSL certificate
  • Custom secret
Can I share my secrets with other users?
To share secrets with other users, you must have the Share secrets permission. However, a cluster administrator or an instance administrator can optionally disable secret sharing.