Configure Secrets for OCF Connector Settings

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

On the General Settings tab of an OCF connector Settings page, you can configure your connection to use secrets stored in either AWS Secrets Manager or Azure Key Vault. In what follows, we use “vault” to mean either AWS Secrets Manager or Azure Key Vault. By default, connection information such as JDBC URI and service account user names and passwords are entered on this page and stored in the Alation database. However, if you have created one or more Authentication Configuration Methods for External Systems for AWS Secrets Manager or Azure Key Vault, the General Settings page will offer the option of pulling such information from the appropriate vault. In this case, most options under Application Settings or Connector Settings will show the following icons to the right of the option:


By default, the database icon is selected, as shown. To pull the setting from a vault, click the vault icon.

When using AWS Secrets Manager, you can pull secrets in plain-text format, as JSON Key/Value pairs, or as a certificate in binary form, as described in more detail in Integration with AWS Secrets Manager for OCF Data Source Authentication.

When using Azure Key Vault, only a plain-text secret name is supported, as described in Integration with Azure Key Vault for OCF Data Source Authentication.


  • When using AWS Secrets Manager with IAM Roles, the role to be assumed and the Alation instance must be within the same AWS account. Cross-account setups are supported only for on-prem Alation deployments.

  • When using Azure Key Vault, JSON Key/Value pairs and binary certificates are not supported. Only plain-text secret names may be used.