Integration with AWS Secrets Manager for Data Source Authentication Using OCF Connector

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Applies from version 2023.1.5

Alation supports integration with AWS Secrets Manager. Using AWS Secrets Manager allows you to consolidate your credentials in a single, secure location, preventing “credential sprawl” and enabling your organization to comply with IT security policies. You can store secrets such as database passwords and usernames, Kerberos authentication information, JDBC URI keys, and more. Alation will read credentials from Secrets Manager when a Data Source Admin launches metadata extraction (MDE), query log ingestion (QLI), and profiling.

You can store secrets in AWS Secrets Manager in several ways, either as plain text or key-value pairs in JSON format. You can also store certificates in binary form, but this cannot be done through the AWS Secrets Manager web interface, only using the AWS command-line interface. For complete details, see Create an AWS Secrets Manager secret in AWS documentation.

To integrate with AWS Secrets Manager, Alation offers three configuration methods based on AWS IAM role or user setups. All options require access to the AWS IAM management console and permissions to configure IAM roles and users.

In Alation, you need the Server Admin role to complete the setup.

Select an approach that suits your use case the best:

  • Configure a Role to Assume on Behalf of Alation’s Instance Profile—You configure an IAM role to assume on behalf of the role attached to Alation’s Amazon EC2 instance or container. The role is provided to Alation through an authentication profile. No access keys or secret access keys are stored on the Alation server. The role to be assumed and the Alation instance can be under different AWS accounts.

  • Configure a Role to Assume on Behalf of a User—You configure a role to assume on behalf of an IAM user. The user’s information is provided through an authentication profile created in Alation. The user’s access key and secret access key are stored in an encrypted format on the Alation server as part of the authentication profile details.

    Note

    In both options involving an IAM role, the role to be assumed is one that can read secrets from the AWS Secrets Manager.

  • Establish a User to Access Secrets Manager—You establish an IAM user credentials as an access key and secret access key to access AWS Secrets Manager from Alation. The user’s access key and secret access key are stored in an encrypted format on the Alation server as part of the authentication profile details.