Ataccama ONE Agentic Cloud Portal ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
latest (17.0.0) 16.3.0 16.2.0 16.1.0 16.0.0 15.4.0 15.3.0 15.2.0 15.1.0 14.5.x 13.9.x 13.8.x 13.7.x 13.6.x 13.5.0 13.4.x 13.3.x 13.2.x
User Community Service Desk Downloads

HashiCorp Vault Integration

Integrate ONE with HashiCorp Vault to retrieve secrets when connecting to data sources.

Create new HashiCorp Vault integration

  1. Go to Global Settings > Application Settings > Secret Management.

    Add new service

  2. Select Add.

  3. Provide the following information:

    • General

      1. Provider: The key vault or secret manager you are connecting to. Select HashiCorp Vault.

      2. Name: A unique name for this service.

      3. Json enabled (Recommended): Select this option to allow ONE to work with values nested in JSON objects in HashiCorp.

      4. URL: The complete URL of the HashiCorp Vault.

      5. Namespace: The name of your namespace in HashiCorp. This can be seen in the HashiCorp URL after you select your vault from the list of vaults in Secrets Engine.

    • Authentication method: Select from the options provided.

    • Google Service Account Key credential

      1. Role: The name of the role configured in the HashiCorp Vault. If you do not know this, obtain it using the API according to the official HashiCorp documentation.

      2. Service key: Upload your service key. This is a JSON file obtained via Service Accounts in the Google Cloud Console.

    • Google Compute Engine credential

      This option can only be used when Ataccama DPEs are deployed on Google servers. .. Role: The name of the role configured in the HashiCorp Vault. If you do not know this, obtain it using the API according to the official HashiCorp documentation.

    • Hashicorp JWT credentials

      1. Role: The name of the role configured in the HashiCorp Vault. If you do not know this, obtain it using the API according to the official HashiCorp documentation.

      2. JWT: Signed JWT Token. There are some steps required in HashiCorp to obtain this. Multiple methods are available. For a step-by-step guide of one available method, static keys, see the HashiCorp article Vault JWT auth with static keys.

        These steps will require admin access to the vault UI or CLI.

  4. Select Test to test the connection. If the connection is successful, select Save. Otherwise, verify that your configuration is correct.

Usage examples

Example using username and password

  1. In Data Catalog > Sources > [your source] > Add Connection, select Add Credentials.

  2. Select Credential type from the options provided:

    • Username and password:

      Configure credentials username and password

      1. Name: A unique name for this set of credentials.

      2. Description (Optional): A description for this service.

      3. Select a secret management service: Select the HashiCorp Vault you configured.

      4. Username:

        1. Select the Use secret management service option.

          You can enable Use secret management service to retrieve the username, but it is not necessary as usernames can generally be shared and entered manually.

        2. Username (secret name): Enter the name under which the username is stored in your key vault. The format depends on whether you selected Json enabled when configuring the HashiCorp Vault in Secret Management Services:

          • Json enabled is selected: Enter the secret path only.

            In the following example, Username (secret name) is example_path/secret_name.

          • Json enabled is not selected: Enter the secret path with the key appended using a colon.

            In the following example, Username (secret name) is example_path/secret_name:snowflake-username or example_path/secret_name:$.snowflake-username.

        3. Username Json path: The JSON path to the username in your HashiCorp Vault.

          This field is only relevant if you selected Json enabled when configuring the HashiCorp Vault in Secret Management Services.

          In the following example, Username Json path is $.snowflake-username.

          HashiCorp secret example

      5. Password:

        1. Select the Use secret management service option.

        2. Password (secret name): Enter the name under which the password is stored in your key vault. The format depends on whether Json enabled was selected when configuring the HashiCorp Vault in Secret Management Services:

          • Json enabled is selected: Enter the secret path only.

            In the following example, Password (secret name) is example_path/secret_name.

          • Json enabled is not selected: Enter the secret path with the key appended using a colon.

            In the following example, Password (secret name) is example_path/secret_name:snowflake-password or example_path/secret_name:$.snowflake-password.

        3. Password Json path: The JSON path to the password in your HashiCorp Vault.

          This field is only relevant if you selected Json enabled when configuring the HashiCorp Vault in Secret Management Services.

          In the following example, Password Json path is $.snowflake-password.

          HashiCorp secret example

  3. Select Test to test the connection. If the connection is successful, select Save. Otherwise, verify that your configuration is correct.

Was this page useful?