> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kinetica.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Credentials

***

#

# DO NOT EDIT THIS FILE!

# This file was automatically generated using /scripts/content-fanout.js.

# To edit the content of this file, locate and edit the source file here:

# /content-fanout/shared/concepts/credentials.rst

#

## title: "Credentials"

A *credential* is an authentication object for a resource or repository that is
external to the database. It consists of the credentials used to authenticate to
that external system, with the goal of providing an authentication token to any
database object that may need to connect to that system.

A *credential* name must adhere to the standard
[naming criteria](/content/concepts/tables#table-naming-criteria).  Each *credential*
exists within a [schema](/content/concepts/schemas) and follows the standard
[name resolution rules](/content/concepts/tables#table-name-resolution) for *tables*.

The following can make use of *credentials*:

* [Data sources](/content/concepts/data_sources)
  (see also the [CREATE DATA SOURCE](/content/sql/ddl#sql-create-data-source) command in SQL)
* [Data sinks](/content/concepts/data_sinks)
  (see also the [CREATE DATA SINK](/content/sql/ddl#sql-create-data-sink) command in SQL)
* [ML container registries](/content/ml/concepts#ml-registry)
  (see also the [CREATE CONTAINER REGISTRY](/content/sql/ml#sql-ml-create-cr) command in SQL)

Any user can create a *credential* for their own use.

The following services are supported:

* *Azure*

* *Google Cloud*

* *HDFS*

* *JDBC*

* *Kafka*

  * Apache Cluster
  * Confluent Cluster

* Remote Repositories

  * *Docker*
  * *Nvidia*
  * *OpenAI*

* *S3*

## Managing Credentials

A *credential* can be managed using the following API endpoint calls. For
managing *credentials* in SQL, see [CREATE CREDENTIAL](/content/sql/ddl#sql-create-credential).

| API Call                                                                             | Description                                                                                                                                                       |
| ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [/create/credential](/content/api/rest/create_credential_rest)                       | Creates a *credential*, given authentication and connection information                                                                                           |
| [/alter/credential](/content/api/rest/alter_credential_rest)                         | Modifies the properties of a *credential*                                                                                                                         |
| [/drop/credential](/content/api/rest/drop_credential_rest)                           | Removes the *credential* reference from the database                                                                                                              |
| [/show/credential](/content/api/rest/show_credential_rest)                           | Outputs the *credential's* properties                                                                                                                             |
| [/grant/permission/credential](/content/api/rest/grant_permission_credential_rest)   | Grants the [permission](/content/security/sec_concepts#security-concepts-permissions-credential) for a user to use or manage a *credential* or all *credentials*  |
| [/revoke/permission/credential](/content/api/rest/revoke_permission_credential_rest) | Revokes the [permission](/content/security/sec_concepts#security-concepts-permissions-credential) for a user to use or manage a *credential* or all *credentials* |

## Creating a Credential

To create a *credential*, `auser_azure_active_dir_creds`, that connects to
*Azure Active Directory*:

<CodeGroup>
  ```sql SQL theme={null}
  CREATE CREDENTIAL auser_azure_active_dir_creds
  TYPE = 'azure_ad',
  IDENTITY = 'atypicaluser',
  SECRET = 'Passw0rd!'
  ```

  ```python Python theme={null}
  kinetica.create_credential(
      credential_name = 'auser_azure_active_dir_creds',
      type = 'azure_ad',
      identity = uid,
      secret = pwd
  )
  ```
</CodeGroup>

To create a *credential*, `kafka_cred`, that connects to *Kafka* via SSL:

<CodeGroup>
  ```sql SQL theme={null}
  CREATE CREDENTIAL kafka_cred
  TYPE = 'kafka'
  WITH OPTIONS
  (
      'security.protocol' = 'SSL',
      'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt',
      'ssl.certificate.location' = 'kifs://ssl/client.pem',
      'ssl.key.location' = 'kifs://ssl/client.key',
      'ssl.key.password' = 'Passw0rd!'
  )
  ```

  ```python Python theme={null}
  kinetica.create_credential(
      credential_name = 'kafka_cred',
      type = 'kafka',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SSL',
          'ssl.ca.location': 'kifs://ssl/ca-bundle.crt',
          'ssl.certificate.location': 'kifs://ssl/client.pem',
          'ssl.key.location': 'kifs://ssl/client.key',
          'ssl.key.password': 'Passw0rd!'
      }
  )
  ```
</CodeGroup>

<a id="credential-syntax" />

### Provider-Specific Syntax

Several authentication schemes across multiple providers are supported.

* [Azure BLOB](/content/concepts/credentials#credential-azure)
* [GCS](/content/concepts/credentials#credential-gcs)
* [HDFS](/content/concepts/credentials#credential-hdfs)
* [JDBC](/content/concepts/credentials#credential-jdbc)
* [Kafka (Apache)](/content/concepts/credentials#credential-kafka)
* [Kafka (Confluent)](/content/concepts/credentials#credential-confluent)
* [Remote Repository](/content/concepts/credentials#credential-repo)
* [S3 (Amazon)](/content/concepts/credentials#credential-s3)

<a id="credential-azure" />

#### Azure BLOB

<CodeGroup>
  ```python Password theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'azure_storage_key',
      identity = '<azure storage account name>',
      secret = '<azure storage account key>',
      options = {}
  )
  ```

  ```python SAS Token theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'azure_sas',
      identity = '<azure storage account name>',
      secret = '<azure sas token>',
      options = {}
  )
  ```

  ```python Active Directory theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'azure_ad',
      identity = '<ad client id>',
      secret = '<ad client secret key>',
      options = {
          'azure_storage_account_name': '<azure storage account name>',
          'azure_tenant_id': '<azure tenant id>'
      }
  )
  ```
</CodeGroup>

<a id="credential-gcs" />

#### GCS

<CodeGroup>
  ```python User ID & Key theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'gcs_service_account_id',
      identity = '<gcs account id>',
      secret = '<gcs account private key>',
      options = {}
  )
  ```

  ```python JSON Key theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'gcs_service_account_keys',
      identity = '',
      secret = '',
      options = {
          'gcs_service_account_keys': '<gcs account json key text>'
      }
  )
  ```
</CodeGroup>

<a id="credential-hdfs" />

#### HDFS

<CodeGroup>
  ```python Password theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'hdfs',
      identity = '<hdfs username>',
      secret = '<hdfs password>',
      options = {}
  )
  ```

  ```python Kerberos Keytab theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'hdfs',
      identity = '<hdfs username>',
      options = {
          'hdfs_kerberos_keytab': 'kifs://<keytab file path>'
      }
  )
  ```

  ```python Kerberos Token theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'hdfs',
      identity = '<hdfs username>',
      secret = '',
      options = {
          'hdfs_use_kerberos': 'true'
      }
  )
  ```
</CodeGroup>

<a id="credential-jdbc" />

#### JDBC

```python Password theme={null}
kinetica.create_credential(
    credential_name = '[<schema name>.]<credential name>',
    type = 'jdbc',
    identity = '<jdbc username>',
    secret = '<jdbc password>',
    options = {}
)
```

<a id="credential-kafka" />

#### Kafka (Apache)

<CodeGroup>
  ```python SSL (CA Cert) theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'kafka',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SSL',
          'ssl.ca.location': 'kifs://<client ca certificates path>'
      }
  )
  ```

  ```python SSL (CA Cert/Client Auth) theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'kafka',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SSL',
          'ssl.ca.location': 'kifs://<client ca certificates path>',
          'ssl.certificate.location': 'kifs://<client certificate path>'
      }
  )
  ```

  ```python SSL (Encryption) theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'kafka',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SSL',
          'ssl.ca.location': 'kifs://<client ca certificates path>',
          'ssl.certificate.location': 'kifs://<client certificate path>',
          'ssl.key.location': 'kifs://<client key path>',
          'ssl.key.password': '<client key password>'
      }
  )
  ```

  ```python SASL theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'kafka',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SASL_SSL',
          'sasl.mechanism': 'PLAIN',
          'sasl.username': '<sasl username>',
          'sasl.password': '<sasl password>'
      }
  )
  ```

  ```python Kerberos theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'kafka',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SASL_PLAINTEXT',
          'sasl.mechanism': 'GSSAPI',
          'sasl.kerberos.service.name': '<kerberos service name>',
          'sasl.kerberos.keytab': 'kifs://<kerberos keytab file>',
          'sasl.kerberos.principal': '<kerberos principal>'
      }
  )
  ```

  ```python Kerberos SSL theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'kafka',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SASL_SSL',
          'sasl.mechanism': 'GSSAPI',
          'sasl.kerberos.service.name': '<kerberos service name>',
          'sasl.kerberos.keytab': 'kifs://<kerberos keytab file>',
          'sasl.kerberos.principal': '<kerberos principal>',
          'ssl.ca.location': 'kifs://<client ca certificates path>',
          'ssl.certificate.location': 'kifs://<client certificate path>',
          'ssl.key.location': 'kifs://<client key path>',
          'ssl.key.password': '<client key password>'
      }
  )
  ```
</CodeGroup>

<a id="credential-confluent" />

#### Kafka (Confluent)

<CodeGroup>
  ```python SSL (CA Cert) theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'confluent',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SSL',
          'ssl.ca.location': 'kifs://<client ca certificates path>'
      }
  )
  ```

  ```python SSL (CA Cert/Client Auth) theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'confluent',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SSL',
          'ssl.ca.location': 'kifs://<client ca certificates path>',
          'ssl.certificate.location': 'kifs://<client certificate path>'
      }
  )
  ```

  ```python SSL (Encryption) theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'confluent',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SSL',
          'ssl.ca.location': 'kifs://<client ca certificates path>',
          'ssl.certificate.location': 'kifs://<client certificate path>',
          'ssl.key.location': 'kifs://<client key path>',
          'ssl.key.password': '<client key password>'
      }
  )
  ```

  ```python SASL theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'confluent',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SASL_SSL',
          'sasl.mechanism': 'PLAIN',
          'sasl.username': '<sasl username>',
          'sasl.password': '<sasl password>'
      }
  )
  ```

  ```python Kerberos theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'confluent',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SASL_PLAINTEXT',
          'sasl.mechanism': 'GSSAPI',
          'sasl.kerberos.service.name': '<kerberos service name>',
          'sasl.kerberos.keytab': 'kifs://<kerberos keytab file>',
          'sasl.kerberos.principal': '<kerberos principal>'
      }
  )
  ```

  ```python Kerberos SSL theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'confluent',
      identity = '',
      secret = '',
      options = {
          'security.protocol': 'SASL_SSL',
          'sasl.mechanism': 'GSSAPI',
          'sasl.kerberos.service.name': '<kerberos service name>',
          'sasl.kerberos.keytab': 'kifs://<kerberos keytab file>',
          'sasl.kerberos.principal': '<kerberos principal>',
          'ssl.ca.location': 'kifs://<client ca certificates path>',
          'ssl.certificate.location': 'kifs://<client certificate path>',
          'ssl.key.location': 'kifs://<client key path>',
          'ssl.key.password': '<client key password>'
      }
  )
  ```
</CodeGroup>

<a id="credential-repo" />

#### Remote Repository

<CodeGroup>
  ```python Docker theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'docker',
      identity = '<docker username>',
      secret = '<docker password>'
  )
  ```

  ```python Nvidia API theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'nvidia_api_key',
      identity = '',
      secret = '<nvidia api key>'
  )
  ```

  ```python OpenAI API theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'openai_api_key',
      identity = '',
      secret = '<openai api key>'
  )
  ```
</CodeGroup>

<a id="credential-s3" />

#### S3 (Amazon)

<CodeGroup>
  ```python Access Key theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'aws_access_key',
      identity = '<aws access key id>',
      secret = '<aws secret access key>'
  )
  ```

  ```python IAM Role theme={null}
  kinetica.create_credential(
      credential_name = '[<schema name>.]<credential name>',
      type = 'aws_iam_role',
      identity = '<aws access key id>',
      secret = '<aws secret access key>',
      options = {
          's3_aws_role_arn': '<amazon resource name>'
      }
  )
  ```
</CodeGroup>

## Altering a Credential

To alter an existing *credential*, `auser_azure_active_dir_creds`, for a
new `secret`:

<CodeGroup>
  ```sql SQL theme={null}
  ALTER CREDENTIAL auser_azure_active_dir_creds
  SET PROPERTY
      SECRET = 'atypicaluserNewPassw0rd!'
  ```

  ```python Python theme={null}
  kinetica.alter_credential(
      credential_name = 'auser_azure_active_dir_creds',
      credential_updates_map = {
        'secret': new_pwd
      },
      options = {}
  )
  ```
</CodeGroup>

## Removing a Credential

To remove an existing *credential*, `auser_azure_active_dir_creds`:

<CodeGroup>
  ```sql SQL theme={null}
  DROP CREDENTIAL auser_azure_active_dir_creds
  ```

  ```python Python theme={null}
  kinetica.drop_credential('auser_azure_active_dir_creds')
  ```
</CodeGroup>

## Showing a Credential

To show the configuration for an existing *credential*,
`auser_azure_active_dir_creds`, while masking the `secret`:

<CodeGroup>
  ```sql SQL theme={null}
  SHOW CREDENTIAL auser_azure_active_dir_creds
  ```

  ```python Python theme={null}
  kinetica_read = gpudb.GPUdb(host = [args.url], username = 'auser', password = 'password')

  response = kinetica_read.show_credential('auser_azure_active_dir_creds')
  ```
</CodeGroup>

The output for the above:

```text theme={null}
{
    "credential_names": [
        "ki_home.auser_azure_active_dir_creds"
    ],
    "credential_types": [
        "azure_ad"
    ],
    "credential_identities": [
        ""
    ],
    "credentials": [
        "{\"credential_name\":\"ki_home.auser_azure_active_dir_creds\",\"type\":\"azure_ad\",\"identity\":\"\",\"secret\":\"\",\"options\":{}}"
    ],
    "additional_info": [
        {}
    ],
    "info": {},
    "status_info": {
        "status": "OK",
        "message": "",
        "data_type": "show_credential_response",
        "response_time": <fast>
    }
}
```

## Updating Credential Permissions

To grant `credential_read` permission to a user, `auser`:

<CodeGroup>
  ```sql SQL theme={null}
  GRANT READ ON CREDENTIAL auser_azure_active_dir_creds TO auser
  ```

  ```python Python theme={null}
  kinetica.grant_permission_credential(
      name = 'auser',
      permission = 'credential_read',
      credential_name = 'auser_azure_active_dir_creds'
  )
  ```
</CodeGroup>

To revoke `credential_read` permission from a user, `auser`:

<CodeGroup>
  ```sql SQL theme={null}
  REVOKE READ ON CREDENTIAL auser_azure_active_dir_creds FROM auser
  ```

  ```python Python theme={null}
  kinetica.revoke_permission_credential(
      name = 'auser',
      permission = 'credential_read',
      credential_name = 'auser_azure_active_dir_creds'
  )
  ```
</CodeGroup>
