# Credential Manager Configuration

This article describes how to configure Credential Manager keys for connectors in the **OvalEdge** application. It explains the supported credential storage mechanisms, how to create secrets in external secret managers, and how to reference those keys when creating or updating connectors in OvalEdge.

## Purpose

The purpose of this document is to define the process for storing sensitive connector attributes in supported credential managers and referencing those keys in the connector within the OvalEdge application.

## Credential Management in OvalEdge

OvalEdge connects to data sources to crawl metadata, profile data, catalog assets, and build lineage.

OvalEdge supports the following credential storage mechanisms:

* Encrypted credentials stored in the OvalEdge
  * MySQL Database
  * AWS Secrets Manager (SAAS)
* Client Credentials Managers
  * [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)
  * [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault/)
  * [HashiCorp](https://www.hashicorp.com/en/products/vault)

### Deployment Models and Credential Storage

#### SAAS Deployment

In SaaS deployments, client connection credentials are stored in OvalEdge AWS Secrets Manager.

* Sensitive credentials are encrypted and stored in OvalEdge AWS Secrets Manager.
* Non-sensitive attributes are stored in the OvalEdge database.
* Access to AWS Secrets Manager is restricted and managed with multi-factor authentication.
* Credentials are protected through encryption and secure secret storage.
* Alternatively, OvalEdge can read secrets from the following client credential managers:
  * AWS Secrets Manager
  * Azure Key Vault
  * HashiCorp

<figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FQLIXMLWNOOg8TnKtVtEk%2FCMC%20Image%20SaaS.png?alt=media&#x26;token=cc74e012-01f1-4bf1-9624-e5b8ff2aeed0" alt=""><figcaption></figcaption></figure>

#### Stand-Alone Deployment

In standalone deployments, OvalEdge runs within the client’s secure network.

* Sensitive credentials, such as passwords and client secrets, can be stored in the OvalEdge database in encrypted form.&#x20;
* Alternatively, credentials can be stored in supported client credential managers:
  * AWS Secrets Manager
  * Azure Key Vault
  * HashiCorp

{% hint style="info" %}
In standalone deployments, the client retains full ownership and access control of credentials.
{% endhint %}

<figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FIqR14x40gsDiv5GwNgNu%2FCMC%20Image%20DB.png?alt=media&#x26;token=b67fbbf4-db6b-42d8-8d03-200f317a8d31" alt=""><figcaption></figcaption></figure>

## Supported Credential Managers

OvalEdge supports the following secret managers for retrieving connector credentials:

1. AWS Secrets Manager
2. Azure Key Vault
3. HashiCorp

Before using a credential manager in other connectors, create a connector for the selected credential manager in the OvalEdge application.

Refer to the respective connector documentation for configuration details:

* [AWS Secrets Manager](https://docs.ovaledge.com/connectors/connector-repositories/identity-access-management/aws-secrets-manager)
* [Azure Key Vault](https://docs.ovaledge.com/connectors/connector-repositories/identity-access-management/azure-key-vault)
* [HashiCorp](https://docs.ovaledge.com/connectors/connector-repositories/identity-access-management/hashicorp)

### Secret Key Naming Conventions

Once the credentials are configured in the client credential manager, ensure that the secret keys follow the required naming pattern to be used in the OvalEdge application.

Secret key naming must follow specific patterns depending on the credential manager.

#### AWS Secrets Manager

For AWS Secrets Manager, the connector retrieves credential details from the specified secret. The secret can contain different credential keys based on the connector configuration and the client’s authentication method.

**Example:**

* username
* password

**Key Pattern:**

`{secretname}/{key}`

**Example:**

* <mark style="color:$primary;">sqlserver-SM/username</mark>
* <mark style="color:$primary;">sqlserver-SM/password</mark>

<figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FnwQjb8WyFl38hWdWWLer%2Funknown.png?alt=media&#x26;token=3f579379-f569-433e-9d52-9f6ed7792571" alt=""><figcaption></figcaption></figure>

Use these secret keys/values when creating or updating the connector in the OvalEdge application.

**Reference Credential Manager When Creating/Editing a Connector**

**Example: SQL Server Connector**

1. Log in to the OvalEdge application.
2. Navigate to **Administration → Connectors**.
3. On the Connectors page, click **+ New Connector**.
4. Search for **SQL Server** and select the **SQL Server Connector**. The **Add Connector** page appears.
5. In the **Credentials Manager** dropdown, select **AWS Secrets Manager**. The parameters related to the selected credential manager appear.
6. Enter the required connection parameters.
7. In the **Username** and **Password** fields, enter the secret keys retrieved from AWS Secrets Manager:

   1. <mark style="color:$primary;">sqlserver-SM/username</mark>
   2. <mark style="color:$primary;">sqlserver-SM/password</mark>

   <figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FhixuCOkMgS8P2gknpqD5%2Funknown.png?alt=media&#x26;token=65aaea2d-8f0c-4f2a-99f5-8f920ccf05be" alt=""><figcaption></figcaption></figure>
8. Click **Validate** to verify the connection.
9. Click **Save** to store the connection for future use.
10. Alternatively, click **Save & Configure** to configure additional settings before saving. The saved connector appears on the **Connectors** page.

{% hint style="info" %}
Users can update secret keys for an existing connector. On the **Connectors** page, locate the required connector (for example, SQL Server), click the **nine-dot** menu, and select **Edit Connector**. Update the required credential fields (for example, Username and Password) with the secret keys retrieved from **AWS Secrets Manager**, and then save the connector.
{% endhint %}

### Azure Key Vault

For **Azure Key Vault**, the connector requires only the key names. The connector retrieves the corresponding secret values directly from Azure Key Vault. The keys stored in the vault depend on the connector configuration and the client’s authentication method.

**Key Pattern:**

`{key}`

**Example:**&#x20;

* <mark style="color:$primary;">adf-clientid-new</mark>
* <mark style="color:$primary;">adf-clientsecret-new</mark>
* <mark style="color:$primary;">adf-endpoint-new</mark>
* <mark style="color:$primary;">adf-tenantid-new</mark>
* <mark style="color:$primary;">azuredatafactory-subscriberId</mark>
* <mark style="color:$primary;">adf-apiversion</mark>
* <mark style="color:$primary;">adf-resourcegroup</mark>

<figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FuKFX8yBUSLYjPHCOgozd%2F1.png?alt=media&#x26;token=1ef8b6cd-0755-4c7f-aeb5-800bac8d9540" alt=""><figcaption></figcaption></figure>

After retrieving the key names, use these names when creating or updating the connector in the OvalEdge application.

**Reference Credential Manager When Creating/Editing a Connector**

**Example: Azure Data Factory Connector**

1. Log in to the OvalEdge application.
2. Navigate to **Administration → Connectors**.
3. On the Connectors page, click **+ New Connector**.
4. Search for **Azure Data Factory** and select the **Azure Data Factory**. The **Add Connector** page appears.
5. In the Credentials Manager dropdown, select Azure Key Vault. The parameters related to the selected credential manager appear.
6. Enter the required connection parameters.
7. In the following fields, enter the corresponding secret keys retrieved from Azure Key Vault:

| Connector Field     | Key Name                      |
| ------------------- | ----------------------------- |
| Client Id           | adf-clientid-new              |
| Client Secret       | adf-clientsecret-new          |
| Tenant Id           | adf-tenantid-new              |
| Subscriber Id       | azuredatafactory-subscriberId |
| Resource Group Name | adf-resourcegroup             |
| API Version         | adf-apiversion                |

<figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FVGOTibNJraVzBLYwZ0Sv%2Funknown.png?alt=media&#x26;token=511076ae-7700-4396-9755-55349241f73d" alt=""><figcaption></figcaption></figure>

8. Click **Validate** to verify the connection.
9. Click **Save** to store the connection for future use.
10. Alternatively, click **Save & Configure** to configure additional settings before saving. The saved connector appears on the Connectors page.

{% hint style="info" %}
Users can update key values for an existing connector. On the **Connectors** page, locate the required connector (for example, Azure Data Factory), click the **nine-dot** menu, and select **Edit Connector**. Update the required credential fields (for example, Client Id, Client Secret, etc.) with the secret keys retrieved from **Azure Key Vault**, and then save the connector.
{% endhint %}

### HashiCorp

For **HashiCorp Vault**, the connector retrieves credential details from the specified secret path. The secret can contain different credential keys based on the connector configuration and the client’s authentication method.

**Example:**

* IP
* Username
* Password

**Key Pattern:**

`/v1/{engine_name}/data/{secret_name}`

**Examples**

* <mark style="color:$primary;">/v1/SQLSERVER\_ONPREM/data/SQLSERVERCONN/IP</mark>
* <mark style="color:$primary;">/v1/SQLSERVER\_ONPREM/data/SQLSERVERCONN/Password</mark>
* <mark style="color:$primary;">/v1/SQLSERVER\_ONPREM/data/SQLSERVERCONN/Username</mark>

<figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FD8U9b9k1voogVSeI5l71%2F2.png?alt=media&#x26;token=4973653d-ce18-470f-bb32-4d4a7e29c7ef" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FUv6Pl57fR8UYaLeZ89lV%2F3.png?alt=media&#x26;token=821e3463-f44f-419c-b3d4-cc14b76b7827" alt=""><figcaption></figcaption></figure>

After retrieving the secret values, use these values when creating or updating the connector in the OvalEdge application.

**Reference Credential Manager When Creating/Editing a Connector**

**Example: SQL Server Connector**

1. Log in to the OvalEdge application.
2. Navigate to **Administration → Connectors**.
3. On the **Connectors** page, click **+ New Connector**.
4. Search for **SQL Server** and select the **SQL Server Connector**. The **Add Connector** page appears.
5. In the **Credentials Manager** dropdown, select **HashiCorp**. The parameters related to the selected credential manager appear.
6. Enter the required connection parameters.
7. In the **Server**, **Username**, and **Password** fields, enter the secret keys retrieved from HasiCorp:

   1. <mark style="color:$primary;">/v1/SQLSERVER\_ONPREM/data/SQLSERVERCONN/IP</mark>
   2. <mark style="color:$primary;">/v1/SQLSERVER\_ONPREM/data/SQLSERVERCONN/Password</mark>
   3. <mark style="color:$primary;">/v1/SQLSERVER\_ONPREM/data/SQLSERVERCONN/Username</mark>

   <figure><img src="https://1813356899-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTnkoJQml0pok9awFDhx%2Fuploads%2FsUol7MNLUWPL9sEzlsdl%2Funknown.png?alt=media&#x26;token=c8acb851-a906-41ca-bf18-7b9a3f6890ca" alt=""><figcaption></figcaption></figure>
8. Click **Validate** to verify the connection.
9. Click **Save** to store the connection for future use.
10. Alternatively, click **Save & Configure** to configure additional settings before saving. The saved connector appears on the **Connectors** page.

{% hint style="info" %}
Users can update secret keys for an existing connector. On the **Connectors** page, locate the required connector (for example, SQL Server), click the **nine-dot** menu, and select **Edit Connector**. Update the required credential fields (for example, Server IP, Username, and Password) with the secret keys retrieved from **HashiCorp Manager**, and then save the connector.
{% endhint %}

{% hint style="warning" %}
The connector retrieves credential values (for example, Username and Password) from the configured credential manager store. Fields not stored in the secret are used as entered. If a secret key is incorrect, missing, or removed from the credential manager store, connection validation and operations fail.<br>
{% endhint %}

***

Copyright © 2026, OvalEdge LLC, Peachtree Corners, GA, USA.