Managing secrets and vaults
Cloud Pak for Data includes an internal vault that you can use to store secrets. You can also connect to external vaults where you already store sensitive information as secrets.
You can use secrets in Cloud Pak for Data when you create connections to ensure that sensitive data, such as credentials, is secure and encrypted.
- Overview of secrets and vaults
- Services that support connections that use secrets from vaults
- Internal vault
- External vaults
Overview of secrets and vaults
A secret contains sensitive data. You can use secrets to store a variety of information, such as:
- Usernames and passwords
- SSL certificates
- API keys
- Authentication tokens
A vault is a secure place to store and manage secrets. Cloud Pak for Data includes an internal vault. If you have a supported enterprise-grade vault, you can also connect to external vaults.
- The information in the secret is stored in a secure and encrypted environment that conforms to your organization's policies.
- The services and connections that use the secret do not have direct access to the information in the secret.
- The information in the secret can be updated once. The change is automatically picked up by all services or connections that use the secret.
Services that support connections that use secrets from vaults
When you create a platform connection, you can use secrets to specify the required credentials for the connection. The following services support connections that use secrets instead of plain-text credentials:
- Analytics Engine Powered by Apache Spark
- Data Privacy
- Data Refinery
- DataStage®
- Db2® Big SQL
- Decision Optimization
- IBM® Match 360 with Watson™
- Informix®
- OpenPages®
- RStudio® Server Runtimes
- SPSS® Modeler
- Watson Knowledge Catalog
- Watson Machine Learning Accelerator
- Watson OpenScale
- Watson Query
- Watson Studio
- Watson Studio Runtimes
Internal vault
By default, Cloud Pak for Data includes an internal vault. However, a cluster administrator or instance administrator can optionally disable the internal vault.
Data that is stored in this vault is encrypted. However, the internal vault is intended primarily for proof-of-concept demonstrations. In production environments, it is strongly recommended that you connect to an enterprise-grade external vault.
- What permissions do I need to add secrets to the internal vault?
- You do not need any permissions to add secrets to the internal vault. All Cloud Pak for Data users can add secrets to the internal
vault.
You can manage your secrets in the internal vault from the Adding secrets to the internal vault.
page. For more information, seeNote: A user with the Manage vaults and secrets permission can:- View the list of secrets (but not the content of the secrets) in the internal vault
- Delete secrets from the internal vault
- What can I store in the internal vault?
- You can store the following types of data in a secret in the internal vault:
- Username and password
- Key
- Token
- SSL Certificate
- Custom secrets
- Can I share my secrets with other users?
- By default, you can share secrets with other users. However, a cluster administrator or an instance administrator can optionally disable secret sharing.
External vaults
- CyberArk Application Access Manager (CyberArk AAM)
- HashiCorp
After you integrate with an external vault, you can specify which secrets in the vault can be used in Cloud Pak for Data. Secrets are created and stored in the external vault. The contents of the secrets are not exposed in Cloud Pak for Data, and the secrets cannot be modified in Cloud Pak for Data. Secrets in an external vault can be managed only through the external vault interface.
- What permissions do I need to use secrets from an external vault?
- To integrate Cloud Pak for Data with an external
vault or add secrets from an external vault, you must have the Add vaults
permission. For more information see:Note: A user with the Manage vaults and secrets permission can:
- View the list of connected vaults
- View the list of the secrets (but not the content of the secrets) in each vault
- Remove external vaults
- Remove secrets added from an external vault
- What types of secrets can I use from an external vault?
- The type of secrets that you add from an external vault depend on the type of vault that you
integrate with:
- CyberArk AAM
-
- Username and password
- Key
- Custom secret
For more information about CyberArk vaults, see the CyberArk documentation.
- HashiCorp
-
- Username and password
- Key
- Token
- SSL certificate
- Custom secret
- Can I share my secrets with other users?
- To share secrets with other users, you must have the Share secrets permission. However, a cluster administrator or an instance administrator can optionally disable secret sharing.