Secret Management Services
Currently, the only supported provider is Azure Key Vault. |
You can create integrations between ONE and secret management services. This means you can provide access to your central storage locations and retrieve secrets from them when connecting to a data source, allowing for more secure storage and management of application secrets and keys.
This page includes references to Azure AD which you might also know as Microsoft Entra ID. |
Create new secret management integration
Secret Management Service integrations can be created by users with editing or full access rights to the Vault entity.
For more information, see Governance Roles.
|
-
Select Global Settings and then under Application Settings, select Secret management.
-
Select Add
-
Provide the following information:
-
General
-
Provider: The key vault or secret manager you are connecting to.
Azure Key Vault is pre-selected as the only currently supported option. -
Name: A unique name for this service.
-
URL: The complete URL of the Azure Key Vault.
-
Description (Optional): A description for this service.
-
-
Authentication
-
Method: Select from the options provided.
-
Azure AD Client Credential
-
Tenant ID: The unique identifier of the Azure AD instance within your Azure subscription (string). Also known as 'directory' ID. This takes the following form (GUID):
ab12c456-789d-01ef-gg22-3h44i5jkl67m
. -
Client ID: The unique identifier of the application created in Azure AD (string). Also known as Application ID. This takes the following form (GUID):
cd12e456-789f-01gh-ii22-3j44k5lmn67o
. -
Client secret: The client secret for Azure Key Vault (string).
-
-
Azure AD Managed Identity:
-
Client ID (Optional): The authentication key string associated with the selected managed identity.
If you want to use Azure AD Managed Identity, the Data Processing Engine (DPE) must be installed in your Azure cloud subscription on a virtual machine (VM) instance, and a Managed Role must be assigned in the Microsoft Azure Portal. To fulfill this requirement, if you are using ONE Portal, the DPE must be installed in hybrid mode. See Hybrid Deployment.
If you have multiple DPEs running, you might need to specify additional constraints. See Constraints Configuration.
-
-
-
-
-
Select Test to test the connection.
If the connection is successful, select Save. Otherwise, verify that your configuration is correct.
Use credentials from secret management service in connections
When you create new connections for data sources, you can retrieve credentials from the integrated secret management services, instead of adding them manually.
For more information about creating connections to data sources, see Connect to a Source. |
Instead of providing the values themselves (for example, the password or client secret), you need to provide the name under which that value is saved (i.e., the key part of a key-value pair), for example:
-
Name:
oracle-prod-pw
-
Value:
0aaa12…3ab
Use the guides below to retrieve details from an integrated secret management service when adding credentials for a connection:
Example using username and password
-
In Data Catalog > Sources > [Your source] > Add Connection, select Add Credentials.
-
Select Credential type from the options provided:
-
Username and password
-
Name: A unique name for this set of credentials.
-
Description (Optional): A description for this service.
-
Username
You can enable Use secret management service to retrieve the username, but it is not necessary as usernames can generally be shared and entered manually. -
Password
-
Enable Use secret management service using the toggle.
-
Password (secret name): Enter the name under which the password is stored in your key vault. For example,
oracle-prod-password
.Essentially, secret name is the name the password is stored under in your key vault or secret manager.
-
-
Select a secret management service: Using the dropdown options, select the secret management service in which the required secrets are contained.
-
-
-
Select Test to test the connection. If the connection is successful, select Save. Otherwise, verify that your configuration is correct.
Example using Azure AD Client Credential
-
In Data Catalog > Sources > [your source] > Add Connection, select Add Credentials.
-
Select Credential type from the options provided:
-
Azure AD Client Credential
-
Name: A unique name for this set of credentials.
-
Description (Optional): A description for this service.
-
Client ID:
-
Enable Use secret management service using the toggle.
-
Client ID (secret name): Enter the name under which the Client ID is stored in your key vault. For example,
adls-container-client-id
.Essentially, secret name is the name the respective Client ID, Client Secret, etc., are stored under in your key vault or secret manager.
-
-
Client secret:
-
Enable Use secret management service using the toggle.
-
Client Secret (secret name): Enter the name under which the Client Secret is stored in your key vault. For example,
adls-container-client-secret
.
-
-
Tenant ID: The unique identifier of the Azure AD instance within your Azure subscription (string). Also called its 'directory' ID.
-
Select a secret management service: Using the dropdown options, select the secret management service in which the required secrets are contained.
-
-
-
Select Test to test the connection. If the connection is successful, select Save. Otherwise, verify that your configuration is correct.
Next steps
Once you have configured a Secret Management Service, you can retrieve credentials from it when connecting to data sources. Head to Connect to a Source and select the instructions relevant for your connection, for example:
Was this page useful?