Temporary credentials authentication
You may specify secret credentials for AWS, Azure, and GCP clouds and this product is careful with the secret credentials and does not share them with bridges. This product uses these secret credentials to authenticate with the cloud, get temporary credentials from it, and provide them to bridges.
This authentication method is appropriate when you would like to
- specify credentials once and use them in many bridges automatically
- avoid exposing secret credentials to bridges
- have multiple layers of security
There are scenarios when you use multiple independent environments in the same cloud and would like to register their secret credentials for the cloud.
You may specify multiple secret credentials for a cloud and select one of them per bridge (Import Setup).
Another option for handling multiple independent environments in the same cloud is to register one secret credential for the cloud and specify the secret credential for another environment in its bridges directly.
Steps
- If not already done, configure a cloud identity.
- Go to MANAGE > Configuration and create a new model or setup an existing one which will use a secret associated with the cloud identity.
- Specify Cloud Identity the appropriate URL/Code in the Import Setup tab for the model and import.
Example
Sign in as Administrator and go to MANAGE > Cloud Identities in the banner.
Click + Add. Enter “Sales Azure East US” in the NAME field.
Enter the proper credentials:
- DIRECTORY (TENANT) ID from Azure
- APPLICATION (CLIENT) ID from Azure
- APPLICATION (CLIENT) SECRET from Azure
Click TEST.
Typically, each Cloud Provider (Azure, Amazon, Google) has a number of services which bridges may need to access with the same credentials. For example, in this case Azure has: datalake storage service, analysis services, and the databricks service. When you click TEST the product tries these credentials for those three services which are supported. If all services are accessible, the result is “Connection successful”. If some services are accessible but some are not the result is "Connection is partially successful”’. The system log contains the result for each service which has been tested.
Click CREATE.
Be sure to work with your experts in the specified cloud identity to obtain both the connection credentials required on this page and the actual URL or ID of the secret you will use for import.
Now, go to MANAGE > Configuration and the Import Setup tab.
Pick Sales Azure East US as the CLOUD IDENTITY.
Leave the Access key, SAS token, or MSI Tenant-ID/Client ID bridge parameter empty and continue with the import.