Skip to main content

DO NOT EDIT THIS FILE!

This file was automatically generated using /scripts/content-fanout.js.

To edit the content of this file, locate and edit the source file here:

/content-fanout/shared/concepts/credentials.rst

title: “Credentials”

A credential is an authentication object for a resource or repository that is external to the database. It consists of the credentials used to authenticate to that external system, with the goal of providing an authentication token to any database object that may need to connect to that system. A credential name must adhere to the standard naming criteria. Each credential exists within a schema and follows the standard name resolution rules for tables. The following can make use of credentials: Any user can create a credential for their own use. The following services are supported:
  • Azure
  • Google Cloud
  • HDFS
  • JDBC
  • Kafka
    • Apache Cluster
    • Confluent Cluster
  • Remote Repositories
    • Docker
    • Nvidia
    • OpenAI
  • S3

Managing Credentials

A credential can be managed using the following API endpoint calls. For managing credentials in SQL, see CREATE CREDENTIAL.
API CallDescription
/create/credentialCreates a credential, given authentication and connection information
/alter/credentialModifies the properties of a credential
/drop/credentialRemoves the credential reference from the database
/show/credentialOutputs the credential’s properties
/grant/permission/credentialGrants the permission for a user to use or manage a credential or all credentials
/revoke/permission/credentialRevokes the permission for a user to use or manage a credential or all credentials

Creating a Credential

To create a credential, auser_azure_active_dir_creds, that connects to Azure Active Directory:
CREATE CREDENTIAL auser_azure_active_dir_creds
TYPE = 'azure_ad',
IDENTITY = 'atypicaluser',
SECRET = 'Passw0rd!'
To create a credential, kafka_cred, that connects to Kafka via SSL:
CREATE CREDENTIAL kafka_cred
TYPE = 'kafka'
WITH OPTIONS
(
    'security.protocol' = 'SSL',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt',
    'ssl.certificate.location' = 'kifs://ssl/client.pem',
    'ssl.key.location' = 'kifs://ssl/client.key',
    'ssl.key.password' = 'Passw0rd!'
)

Provider-Specific Syntax

Several authentication schemes across multiple providers are supported.

Azure BLOB

kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'azure_storage_key',
    identity = '<azure storage account name>',
    secret = '<azure storage account key>',
    options = {}
)

GCS

kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'gcs_service_account_id',
    identity = '<gcs account id>',
    secret = '<gcs account private key>',
    options = {}
)

HDFS

kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'hdfs',
    identity = '<hdfs username>',
    secret = '<hdfs password>',
    options = {}
)

JDBC

Password
kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'jdbc',
    identity = '<jdbc username>',
    secret = '<jdbc password>',
    options = {}
)

Kafka (Apache)

kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'kafka',
    identity = '',
    secret = '',
    options = {
        'security.protocol': 'SSL',
        'ssl.ca.location': 'kifs://<client ca certificates path>'
    }
)

Kafka (Confluent)

kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'confluent',
    identity = '',
    secret = '',
    options = {
        'security.protocol': 'SSL',
        'ssl.ca.location': 'kifs://<client ca certificates path>'
    }
)

Remote Repository

kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'docker',
    identity = '<docker username>',
    secret = '<docker password>'
)

S3 (Amazon)

kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'aws_access_key',
    identity = '<aws access key id>',
    secret = '<aws secret access key>'
)

Altering a Credential

To alter an existing credential, auser_azure_active_dir_creds, for a new secret:
ALTER CREDENTIAL auser_azure_active_dir_creds
SET PROPERTY
    SECRET = 'atypicaluserNewPassw0rd!'

Removing a Credential

To remove an existing credential, auser_azure_active_dir_creds:
DROP CREDENTIAL auser_azure_active_dir_creds

Showing a Credential

To show the configuration for an existing credential, auser_azure_active_dir_creds, while masking the secret:
SHOW CREDENTIAL auser_azure_active_dir_creds
The output for the above:
{
    "credential_names": [
        "ki_home.auser_azure_active_dir_creds"
    ],
    "credential_types": [
        "azure_ad"
    ],
    "credential_identities": [
        ""
    ],
    "credentials": [
        "{\"credential_name\":\"ki_home.auser_azure_active_dir_creds\",\"type\":\"azure_ad\",\"identity\":\"\",\"secret\":\"\",\"options\":{}}"
    ],
    "additional_info": [
        {}
    ],
    "info": {},
    "status_info": {
        "status": "OK",
        "message": "",
        "data_type": "show_credential_response",
        "response_time": <fast>
    }
}

Updating Credential Permissions

To grant credential_read permission to a user, auser:
GRANT READ ON CREDENTIAL auser_azure_active_dir_creds TO auser
To revoke credential_read permission from a user, auser:
REVOKE READ ON CREDENTIAL auser_azure_active_dir_creds FROM auser