Fabric also supports integration with Secrets Management services as they provide several benefits while secrets are not stored in Fabric itself, only their reference IDs are.
In order to integrate any one of Fabric’s currently supported Secrets Management services, you should configure the config.ini file with the properties of the selected Secrets Management service, along with the access and permission details.
Ready to be selected, each supported Secrets Management service has its own dedicated section in the config.ini file, containing all required access and permission details.
In addition to populating these details, you must also activate that selected Secrets Management service by setting the 'ENABLED' property to 'true' in the relevant service section in the config.ini file.
The following are the required config.ini file properties for each Secrets Management service provider:
Section name: [encryption_aws_sm]
Properties:
Authentication process can be done by setting these properties:
ACCESS_KEY_ID
SECRET_ACCESS_KEY
The authentication can also be done by the service account, which the server is associated with. This is an alternative to using an Access ID and an Access Key.
Section name: [encryption_hashicorp_sm]
Properties:
Optional Properties:
Authentication is done by either tokens that can be used directly or using one of HashiCorp's other auth methods, in which case the token is dynamically generated.
Fabric supports 2 authentication methods:
Directly - where AUTH_TOKEN property should be set.
When using this method, Fabric accesses the Vault URL with the token as auth credentials to get the secret.
AppRole - which is based on the role that Fabric is associated to in the Vault.
When using the AppRole method, Fabric first accesses the Approle URL to dynamically get a token, and then uses that token as auth credentials for the purpose of getting the secret. For this method, you should specify the following properties:
Section name: [encryption_azure_sm]
Properties:
Optional Properties:
Authentication, Fabric supports one of the following authentication methods for Azure Key Vault and accordingly you shall set their properties:
Section name: [encryption_cyberark_sm]
Properties:
Optional Properties:
Authentication is done by using either an API key or user and password, and accordingly the following parameters have to be set:
Section name: [encryption_gcp_sm]
Properties:
Optional Properties:
Authentication is done by a credentials file:
Section name: [encryption_safeguard_sm]
Properties:
Optional Properties:
TIMEOUT - default is 10000 ms.
Authentication is done by certifications and keys that should be applied.
You can use several Secrets Management services on the same Fabric by setting and activating them in the config.ini file.
There may be various systems that provide Secrets Management services for your organization, where data resource credentials are set across different providers. In such cases, Fabric is required to access each one of them to obtain the secrets.
To use it:
Note that in the Interface Editor you can specify, per secret, which Secrets Management service to use. If you do not specify it, then Fabric will try find the secrets in each of the activated services (according to their appearance in the config.ini file).
Different Secrets Management Service instances may be used in your organization. For example, a TDM production DB resource secrets are managed at the production's secrets manager service, while the DB target resource secrets are managed by another secrets manager service instance, even though they are on same provider.
To use it:
[encryption_{my_name}_sm]
. For example, name the section for production secret manager instance as[encryption_prod_sm]
and [encryption_qa_sm]
for the QA secret manager instance.TYPE
property to that section with the name of the service provider. You can find the type by looking for the default section name, as list above. For example, the section name for AWS Secret Manager is [encryption_aws_sm]
and accordingly its type is aws
. (Note: for the default sections it is not required, that is - no need to specify its type).You can add as many sections as needed, also several instances among several providers. Later on, in the Interface Editor you shall refer and specify, per secret, which secret manager provider's instance to use.
Fabric also supports integration with Secrets Management services as they provide several benefits while secrets are not stored in Fabric itself, only their reference IDs are.
In order to integrate any one of Fabric’s currently supported Secrets Management services, you should configure the config.ini file with the properties of the selected Secrets Management service, along with the access and permission details.
Ready to be selected, each supported Secrets Management service has its own dedicated section in the config.ini file, containing all required access and permission details.
In addition to populating these details, you must also activate that selected Secrets Management service by setting the 'ENABLED' property to 'true' in the relevant service section in the config.ini file.
The following are the required config.ini file properties for each Secrets Management service provider:
Section name: [encryption_aws_sm]
Properties:
Authentication process can be done by setting these properties:
ACCESS_KEY_ID
SECRET_ACCESS_KEY
The authentication can also be done by the service account, which the server is associated with. This is an alternative to using an Access ID and an Access Key.
Section name: [encryption_hashicorp_sm]
Properties:
Optional Properties:
Authentication is done by either tokens that can be used directly or using one of HashiCorp's other auth methods, in which case the token is dynamically generated.
Fabric supports 2 authentication methods:
Directly - where AUTH_TOKEN property should be set.
When using this method, Fabric accesses the Vault URL with the token as auth credentials to get the secret.
AppRole - which is based on the role that Fabric is associated to in the Vault.
When using the AppRole method, Fabric first accesses the Approle URL to dynamically get a token, and then uses that token as auth credentials for the purpose of getting the secret. For this method, you should specify the following properties:
Section name: [encryption_azure_sm]
Properties:
Optional Properties:
Authentication, Fabric supports one of the following authentication methods for Azure Key Vault and accordingly you shall set their properties:
Section name: [encryption_cyberark_sm]
Properties:
Optional Properties:
Authentication is done by using either an API key or user and password, and accordingly the following parameters have to be set:
Section name: [encryption_gcp_sm]
Properties:
Optional Properties:
Authentication is done by a credentials file:
Section name: [encryption_safeguard_sm]
Properties:
Optional Properties:
TIMEOUT - default is 10000 ms.
Authentication is done by certifications and keys that should be applied.
You can use several Secrets Management services on the same Fabric by setting and activating them in the config.ini file.
There may be various systems that provide Secrets Management services for your organization, where data resource credentials are set across different providers. In such cases, Fabric is required to access each one of them to obtain the secrets.
To use it:
Note that in the Interface Editor you can specify, per secret, which Secrets Management service to use. If you do not specify it, then Fabric will try find the secrets in each of the activated services (according to their appearance in the config.ini file).
Different Secrets Management Service instances may be used in your organization. For example, a TDM production DB resource secrets are managed at the production's secrets manager service, while the DB target resource secrets are managed by another secrets manager service instance, even though they are on same provider.
To use it:
[encryption_{my_name}_sm]
. For example, name the section for production secret manager instance as[encryption_prod_sm]
and [encryption_qa_sm]
for the QA secret manager instance.TYPE
property to that section with the name of the service provider. You can find the type by looking for the default section name, as list above. For example, the section name for AWS Secret Manager is [encryption_aws_sm]
and accordingly its type is aws
. (Note: for the default sections it is not required, that is - no need to specify its type).You can add as many sections as needed, also several instances among several providers. Later on, in the Interface Editor you shall refer and specify, per secret, which secret manager provider's instance to use.