Adding references to secrets in external vaults

You can add references to secrets that are stored in supported external vaults so that users and applications can retrieve the content of the secrets as needed.

Permissions you need for this task
To add references to secrets to external vaults, you must have the following permissions:
  • Add vaults permission.
  • Owner of the external vault.
When you need to complete this task
You can complete this task anytime after Cloud Pak for Data is installed and you need to add a reference to a secret that is stored in an external vault.

About this task

You can add references to secrets that are stored in external vaults when you first add the vault integration, or anytime after the vault integration is added. You can edit the details of secrets in a vault at any time. The secret and its content must exist in the external vault. You add the link to the existing secret that enables users and applications to retrieve the secret content from the external vault. You do not add the actual secret content from the external vault in Cloud Pak for Data.

Procedure

To add a reference to a secret in an external vault:

  1. From the navigation menu, select Administration > Configurations.
  2. Open the Vaults and secrets tab.
    On the Vaults tab, you can view all of the vaults that are associated with the cluster and that you either created or have permission to manage. On the Secrets tab, you can view all of the secrets that you created or that have been shared with you, and any secrets that you have permission to manage.
  3. On the Secrets tab, click Add secret.
  4. Enter a name and an optional description for the secret.
    Only alphanumeric characters and hyphens can be used in the Name field.
  5. Select the vault that you are adding the secret to.
  6. Select the type of information that is stored in the secret that you are adding a reference to in the external vault. The type of information varies depending on the type of vault, as follows:
    HashiCorp vaults
    HashiCorp vaults create key value secrets. To store secrets in the required formats (such as credentials, keys, tokens, SSL certificates, and custom), specific fields must be added when storing secrets.
    • Username and password: The secret in the HashiCorp vault stores a username and password for authentication.
    • Key: The secret in the HashiCorp vault stores a key for authentication.
    • Token: The secret in the HashiCorp vault stores a token for authentication.
    • SSL certificate: The secret in the HashiCorp vault stores an SSL certificate for authentication.
    • Custom: The secret in the HashiCorp vault stores custom information. The custom secret does include fields that are required by other secret types.
    CyberArk vaults
    • Username and password: The secret in the CyberArk vault stores a username and password for authentication.
    • Key: The secret in the CyberArk vault stores a key for authentication.
    • Custom: The custom secret that contains a JSON blob with multiple fields instead of single password.
  7. Enter the secret details, as follows:
    HashiCorp
    • Secret path: The path to the secret in the HashiCorp vault.
    CyberArk
    • Safe: The safe where the secret is stored in the CyberArk vault.
    • Account name: The name of the account in the CyberArk vault.
  8. Select the users and groups that you want to share the secret with.
    Those users can access only the secret that you share. They do not have access to the vault or any other secrets in the vault. You cannot share secrets that are shared with you.
  9. Click Add secret.

Results

The reference to the secret in the external vault is created and it is shared with any users that you specified. You can update the details of the secret reference as necessary. The reference to the secret enables Cloud Pak for Data users and services to retrieve the secret from the external vault. Users that are assigned the Manage secrets and vaults permission and have access to the vault can remove the reference to the secret.