Managing secrets and vaults

Cloud Pak for Data includes an internal vault that you can use to store secrets. You can also connect to external vaults where you already store sensitive information as secrets.

You can use secrets in Cloud Pak for Data when you create connections to make sure that sensitive data, such as credentials, are secure and encrypted.

Overview of secrets and vaults

A secret contains sensitive data. You can use secrets to store various information, such as:
  • Usernames and passwords
  • SSL certificates
  • API keys
  • Authentication tokens
  • JDBC URLs

A vault is a secure place to store and manage secrets. Cloud Pak for Data includes an internal vault. If you have a supported enterprise-grade vault, you can also connect to external vaults.

Secrets offer several advantages over traditional plain-text entry:
  • The information in the secret is stored in a secure and encrypted environment that conforms to your organization's policies.
  • The services and connections that use the secret do not have direct access to the information in the secret.
  • The information in the secret can be updated once. The change is automatically picked up by all services or connections that use the secret.

Services that support connections that use secrets from vaults

You can use secrets when you create connections to external data sources and to services.

The following services support connections that use secrets instead of plain-text credentials:

  • Analytics Engine powered by Apache Spark
  • Data Privacy
  • Data Product Hub
  • Data Refinery
  • Data Virtualization
  • DataStage
  • Db2 Big SQL
  • Decision Optimization
  • IBM Knowledge Catalog
  • IBM Match 360 with Watson
  • 5.0.1 or laterOpenPages
  • RStudio® Server Runtimes
  • SPSS Modeler
  • Watson Machine Learning Accelerator
  • Watson OpenScale
  • Watson Studio
  • Watson Studio Runtimes
Tools that support shared credentials in connections that use secrets from vaults
Most Cloud Pak for Data services require personal credentials if the credentials are stored in a secret. However, you can use shared credentials from a secret with the following services and tools:
  • Notebooks (Watson Studio).

    You can generate or write your own code to access connections to load data to a notebook.

For more information about using secrets in connections, see Using secrets from vaults in connections.

Internal vault

Cloud Pak for Data includes an internal vault by default. However, a cluster administrator or instance administrator can optionally disable the internal vault.

Data that is stored in this vault is encrypted. However, the internal vault is intended primarily for proof-of-concept demonstrations. In production environments, it is strongly recommended that you connect to an external vault.

What permissions do I need to add secrets to the internal vault?
You do not need any permissions to add secrets to the internal vault. All Cloud Pak for Data users can add secrets to the internal vault.

You can manage your secrets in the internal vault from the Administration > Configurations and settings > Vaults and secrets page. For more information, see Adding secrets to the internal vault.

Note: A user with the Manage vaults and secrets permission can perform the following tasks:
  • View the list of secrets (but not the content of the secrets) in the internal vault
  • Delete secrets from the internal vault
What can I store in the internal vault?
You can store the following types of data in a secret in the internal vault:
  • Username and password
  • Key
  • Token
  • SSL Certificate
  • Kerberos credentials
  • Custom secrets
Can I share my secrets with other users?
By default, you can share secrets with other users. However, a cluster administrator or an instance administrator can optionally disable secret sharing.

External vaults

You can integrate Cloud Pak for Data with the following types of external vaults:
  • CyberArk Application Access Manager (CyberArk AAM)
  • HashiCorp

After you integrate with an external vault, you can specify which secrets in the vault can be used in Cloud Pak for Data. Secrets are created and stored in the external vault. The contents of the secrets are not exposed in Cloud Pak for Data, and the secrets cannot be modified in Cloud Pak for Data. Secrets in an external vault can be managed only through the external vault interface.

Important: Cloud Pak for Data connections and services can retrieve secrets from the external vault only on behalf of an authorized user.
What permissions do I need to use secrets from an external vault?
To integrate Cloud Pak for Data with an external vault or add secrets from an external vault, you must have the Add vaults permission.
For more information, see these resources:
Note: A user with the Manage vaults and secrets permission can:
  • View the list of connected vaults
  • View the list of the secrets (but not the content of the secrets) in each vault
  • Remove external vaults
  • Remove secrets added from an external vault
What types of secrets can I use from an external vault?
The type of secrets that you add from an external vault depend on the type of vault that you integrate with:
CyberArk AAM
  • Username and password
  • Key
  • Custom secret

For more information about CyberArk vaults, see the CyberArk documentation.

HashiCorp
  • Username and password
  • Key
  • Token
  • SSL certificate
  • Custom secret
Can I share my secrets with other users?
To share secrets with other users, you must have the Share secrets permission. However, a cluster administrator or an instance administrator can optionally disable secret sharing.

Bridges to external vaults

If you want to use another external vault, you can use the vault bridge SDK to create a vault bridge and integrate Cloud Pak for Data with an external vault. The vault bridge SDK dynamically plugs in to the platform with extensions to integrate with an external vault. Then, Cloud Pak for Data users can fetch the credentials from the vault to access data in their data sources. The vaults bridge SDK includes examples of bridging to the following external vaults:

  • AWS Secrets Manager
  • Microsoft Azure Key Vault
  • IBM Cloud Secrets Manager
A typical workflow that explains the steps of using a vault bridge. 1 2 3 4 5 5a 5y 5z 6 7 8
  1. A Cloud Pak for Data service user logs in to the console and requests data processing on data in the data source.
  2. The Cloud Pak for Data service requests a secret identifier from the Platform connection.
  3. The Cloud Pak for Data service receives a secret identifier.
  4. Using the secret identifier, the Cloud Pak for Data service requests secret details from the Platform Core API.
  5. The Platform Core API validates user access, determines the vault bridge type by using the secret identifier, and routes the request to one of the follow vault bridges.
    Embedded vault bridge
    5a. The bridge requests secret details directly from the vault.
    SDK based vault bridge
    • 5y. The Platform Core API forwards the request to the vault bridge.
    • 5z. The vault bridge requests secret details from the vault.
  6. The Cloud Pak for Data service receives the secret details.
  7. Using the secret details and the connection information, the Cloud Pak for Data service requests data from the data source.
  8. The Cloud Pak for Data service receives the data and performs the requested operation on the retrieved data.

For more information, see the Vaults Bridge SDK at https://github.com/IBM/zen-secrets-vaults.