Requiring users to use secrets for credentials when creating connections

Important: IBM Cloud Pak® for Data Version 4.6 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.6 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.

When a user creates a connection, they can provide their credentials by entering them directly or by specifying a secret. A Red Hat® OpenShift® administrator can configure Cloud Pak for Data to enforce the exclusive use of secrets from an external vault (such as CyberArk or HashiCorp).

Permissions that you need for this task
You must have the following permissions to restrict user access to connections with external vault secrets.
  • Administrator of the Red Hat OpenShift project (namespace) where Cloud Pak for Data is installed.
When you need to complete this task
You can complete this task anytime after Cloud Pak for Data is installed.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

A Red Hat OpenShift project (namespace) administrator can edit the config-wdp-connect-connection configuration map to set allow-only-vaulted-credentials to true.

Procedure

  1. Log in to your Red Hat OpenShift cluster as a project administrator. 
    oc login ${OCP_URL}
  2. Change to the project where Cloud Pak for Data is installed. 
    oc project ${PROJECT_CPD_INSTANCE}
  3. Run the following command to edit the Cloud Pak for Data config-wdp-connect-connection file. 
    oc edit configmap config-wdp-connect-connection
  4. Change the allow-only-vaulted-credentials parameter value to true (the default value is false). 
    allow-only-vaulted-password: "true"
  5. Save your changes and exit. For example, if you are using vi, hit esc and enter :wq.
  6. Delete the relevant pods: 
    oc delete pods -l app=wdp-connect-connection
oc delete pods -l app=wdp-connect-connector
  7. Verify that the pods return and are running: 
    oc get pods -l app=wdp-connect-connection
oc get pods -l app=wdp-connect-connector

Results

Cloud Pak for Data is configured for the exclusive use of external vault secrets for connections.