Adding references to secrets in external vaults

You can add references to secrets that are stored in supported external vaults so that users and applications can retrieve the content of the secrets as needed.

Permissions you need for this task
To add references to secrets to external vaults, you must have the following permissions:
  • Add vaults permission.
  • Owner of the external vault.
When you need to complete this task
You can complete this task anytime after Cloud Pak for Data is installed and you need to add a reference to a secret that is stored in an external vault.

About this task

You can add references to secrets that are stored in external vaults when you first add the vault integration, or anytime after the vault integration is added. You can edit the details of secrets in a vault at any time. The secret and its content must exist in the external vault. You add the link to the existing secret that enables users and applications to retrieve the secret content from the external vault. You do not add the actual secret content from the external vault in Cloud Pak for Data.

Procedure

To add a reference to a secret in an external vault:

  1. From the navigation menu, select Administration > Configurations.
  2. Open the Vaults and secrets tab.
    On the Vaults tab, you can view all of the vaults that are associated with the cluster and that you either created or have permission to manage. On the Secrets tab, you can view all of the secrets that you created or that have been shared with you, and any secrets that you have permission to manage.
  3. On the Secrets tab, click Add secret.
  4. Enter a name and an optional description for the secret.
    The name can contain only alphanumeric characters and hyphens.
  5. Select the vault that you are adding the secret to.
  6. Select the type of information that is stored in the secret:

    HashiCorp vault
    Secret type Details
    Username and password The secret is used to store a username and password for authentication.
    Key The secret is used to store a key for authentication.
    Token The secret is used to store a token for authentication.
    SSL certificate The secret is used to store an SSL certificate for authentication.
    Custom The secret is used to store custom information. The custom secret does include fields that are required by other secret types.

    CyberArk vault
    Secret type Details
    Username and password The secret is used to store a username and password for authentication.
    Key The secret is used to store a key for authentication.
    Custom The secret contains a JSON blob that contains multiple fields.

  7. Enter the secret details, as follows:

    HashiCorp vault
    Field Details
    Secret path The path to the secret in the vault.

    CyberArk vault
    Secret type Details
    Safe The safe where the secret is stored in the vault.
    Account name The name of the account in the vault.

  8. Select the users and groups that you want to share the secret with.
    Those users can access only the secret that you share. They do not have access to the vault or any other secrets in the vault.

    You cannot share secrets that are shared with you.

  9. Click Add secret.

Results

The reference to the secret is added to Cloud Pak for Data and it is shared with any users that you specified.

You can update the details of the secret reference as necessary.