Managing secrets and vaults
Cloud Pak for Data includes an internal vault that you can use to store secrets. You can also connect to external vaults where you already store sensitive information as secrets. You can use the secrets in Cloud Pak for Data. For example, you can use secrets when you create connections to ensure that your credentials are secure and encrypted.
- Overview of secrets and vaults
- Services that support connections that use secrets from vaults
- Permissions for working with secrets and vaults
- Internal vault
- External vaults
Overview of secrets and vaults
- Usernames and passwords
- SSL certificates
- API keys
- Authentication tokens
By default, Cloud Pak for Data includes an internal vault that you can use to store secrets. The vault is only accessible through the Credentials and Secrets API unless a Red Hat® OpenShift® project (namespace) administrator enables the vaults interface in the web client. For more information, see Enabling vaults for the Cloud Pak for Data web client.
After the administrator enables the vaults interface in the web client, you can also connect to external vaults. When you connect to an external vault, you can specify the secrets that you want to use in Cloud Pak for Data. Secrets are not directly managed through Cloud Pak for Data services; secrets are stored in the external vault and are managed through the external vault interface. When a user has the appropriate authorization or permission, Cloud Pak for Data connections or services can retrieve secrets from the external vault by using the external vault’s Credentials and Secrets API.
- The information in the secret is stored in a secure and encrypted environment that conforms to your organization's policies.
- The services and connections that use the secret do not have direct access to the information in the secret.
- The information in the secret can be updated once and the change is automatically picked up by all services or connections that use the secret.
Services that support connections that use secrets from vaults
When you create a platform connection, you can use secrets to specify the required credentials for the connection. The following services support connections that use secrets instead of plain-text credentials:
- 4.5.2 or later Analytics Engine Powered by Apache Spark
- 4.5.2 or later Data Privacy
- Data Refinery
- Data Virtualization
- 4.5.1 or later Db2® Data Management Console
- Db2
- Db2 Warehouse
- Decision Optimization
- Execution Engine for Apache Hadoop
- 4.5.2 or later IBM® Match 360 with Watson™
- 4.5.2 or later Informix®
- OpenPages®
- 4.5.2 or later RStudio® Server with R 3.6
- SPSS® Modeler
- 4.5.3 or later Watson Machine Learning Accelerator
- 4.5.2 or later Watson Studio
- Watson Knowledge Catalog
- Watson Studio Runtimes
Permissions for working with secrets and vaults
- Add vault
- Manage secrets and vaults
- Share secrets
For more information, see Predefined roles and permissions in Cloud Pak for Data.
External vaults
- CyberArk Application Access Manager (CyberArk AAM)
- When you integrate with CyberArk vaults, you can add secrets to store username and password credentials and keys. For more information about CyberArk vaults, see the CyberArk documentation.
- HashiCorp
- When you integrate with HashiCorp vaults, key value secrets are created. To store secrets in the required formats (such as credentials, keys, tokens, SSL certificates, and custom), specific fields must be added when secrets are stored. For more information about HashiCorp vaults, see the HashiCorp Vault documentation.
Internal vault
The Cloud Pak for Data platform includes an internal vault that you can use to store, retrieve and manage your credentials, tokens, or certificates. Data that is stored in this vault is encrypted securely. You can use the internal vault to store secrets in one place and reference those secrets in many places, and you can share, and reuse the secrets. This vault can be a substitute for external vaults. When you use the internal vault, you configure the vault secrets and store the contents of the secrets, such as credentials.
By default, the internal vault is available only through the Credentials and Secrets API after Cloud Pak for Data is installed. For more information, see Managing secrets with the Credentials and Secrets API. You can enable vaults in the Cloud Pak for Data web client after Cloud Pak for Data is installed. You can disable the internal vault for the Cloud Pak for Data web client at any time. You can add secrets to the internal vault to store username and password credentials and keys, and you can create custom secrets.
When the internal vault is enabled and a user has no vault-related permissions, the user can still add secrets to the internal vault and use or reference those secrets on the platform. The vaults and secrets page in
is intended for all platform users. Users can review the vaults and secrets page to determine the vaults and secrets to which they have access.