You can configure your organization to retrieve sensitive connection credentials from an external secrets manager instead of storing the credentials in the Informatica Intelligent Cloud Services repository. A secrets manager is also called a secret vault or a key vault.
Using a secrets manager offers the following benefits:
•You retain complete control of your sensitive connection credentials like passwords, OAuth tokens, and API shared secrets.
•You can manage secrets across multiple environments instead of on a per-application basis.
•You can rotate secrets on your schedule without affecting your connections, mappings, or tasks in Informatica Intelligent Cloud Services.
When you enable your organization to use a secrets manager, your Secure Agents can dynamically access sensitive connection credentials from the secrets manager. You can configure one secrets manager for each organization or sub-organization.
You can use one of the following secrets managers:
•AWS Secrets Manager
•Azure Key Vault
•HashiCorp Vault (HCP cloud-hosted)
If you use AWS Secrets Manager, the Secure Agent can access it using role-based, instance profile, or access key authentication.
Configure your organization or sub-organization to use a secrets manager on the Security tab of the Settings page, as shown in the following image:
To configure your organization to use a secrets manager, you must have the Admin role or the SMS Manage Connection and SMS View Connection feature privileges as well as sufficient privileges to access the Administrator service. The organization must also be configured to store connection credentials on the cloud.
Note: You can't use a secrets manager if your organization uses serverless runtime environments or stores connection credentials on a local Secure Agent.
After you configure your organization to use a secrets manager, you can configure your connections to retrieve credentials from the secrets manager.
