11 Credential Store (Preview)

This chapter covers the using the credential store in Oracle AI Data Platform Workbench to create, manage, and provision access credentials.

Topics:

About Credential Store (Preview)

The Credential Store in Oracle AI Data Platform Workbench allows you to create, manage, and provision access to credentials.

You access the Credential Store page from the left navigation panel in AI Data Platform Workbench. From the Credential Store screen, you can view all the existing credentials in your AI Data Platform Workbench instance and a history of changes to the credential store, including creation, modification, and deletion of credentials.

AI Data Platform Workbench enables you to create and store credentials for use as part of your notebooks and workflows. Credentials include keys, tokens, or passwords used to access sources outside of AI Data Platform workbench, like clouds, databases, or APIs. The credential store provides a safe way to create and store credentials, manage permissions for who can access the credentials and where, and a way to view audit logs of how the credentials are used.

Credentials are managed with strict access controls to ensure secure and authorized use. Operations on the Credential Store are logged in the audit logs of AI Data Platform Workbench to ensure adherence to any applicable regulations and compliance requirements.

AI Data Platform Workbench Credential Store uses the following types of credentials:
  • Secret tokens: This category of credentials enables you to access third-party services, like APIs. A secret token type credential is free form in nature and requires you to provide keys and value pairs to store field names and their values.
  • OCI vault references:You can store references to existing OCI Vault secrets so that they can use utilities APIs to retrieve secrets from the vault. AI Data Platform Workbench does not store the secret value, but securely accesses it when necessary.

Prerequisites

To create credentials in your AI Data Platform Workbench, you need the CREATE_CREDENTIAL permission at the Master Catalog level. For more information, see Master Catalog Permissions.

You also need to ensure the following IAM policies are configured in the appropriate compartment:

For Vault References:
allow any-user to read secret-bundles in compartment id <Secret_Compartment_OCID> where all { request.principal.type = 'aidataplatform', request.principal.id = target.secret.system-tag.orcl-aidp.governingAidpId }
For Custom Encryption Keys:
allow any-user to use keys in compartment id <Key_Compartment_OCID> where request.principal.type = 'aidataplatform'

Use Cases for Credential Store

The Credential Store can be used across a variety of scenarios:
  • External System Integration: Store API tokens or credentials required to connect to third-party systems such as SaaS platforms, databases, or data sources.
  • Pipeline and Workflow Authentication: Securely reference secrets in data pipelines, jobs, or workflows without hardcoding credentials.
  • Centralized Secret Management: Maintain a single source of truth for credentials used across teams and environments.
  • Enterprise Vault Integration: Use Vault References to leverage existing enterprise-grade secret management systems while still integrating with workflows.

Best Practices

To ensure security and maintainability when using Credential Store, follow these best practices:

  • Avoid Hardcoding Secrets: Always store sensitive values in the Credential Store instead of embedding them in code, configs, or scripts.
  • Use Vault References When Possible: For highly sensitive or regulated data, prefer vault references.
  • Limit Access with Principle of Least Privilege: Share secrets only with users that require access, and avoid broad or unnecessary permissions.
  • Use Descriptive Naming Conventions: Name secrets clearly (e.g., openai-api-token-prod) to make them easy to identify and manage.
  • Rotate Secrets Regularly: Periodically update tokens and credentials to reduce the risk of compromise.
  • Separate Secrets by Environment: Maintain distinct secrets for development, staging, and production environments to avoid accidental misuse.
  • Audit and Review Usage: Regularly review who has access to secrets and where they are being used.

By using the Credential Store effectively, teams can improve security posture, simplify credential management, and enable scalable integrations across AI Data Platform.

Create Credentials (Preview)

You can create credentials for accessing other sources by selecting the a credential type providing the required details.

  1. Click Create in the left navigation pane and select Credentials. You can also navigate to the Credential Store and click Create catalog icon Create Credentials.
  2. Provide a name and description.
  3. From the Credential type drop-down list, select the appropriate credential type.
    • Choose Secret Token to store a value directly.
    • Choose Vault Reference to reference an external vault secret.
  4. Provide the necessary credentials in the fields provided.
    • For Secret Token, provide the key name and secret value.
    • For Vault Reference, provide the vault OCID.
  5. Configure access or visibility settings, if applicable.
  6. Click Create.

Use Stored Credentials in a Notebook (Preview)

You can call on stored credentials in the code of a notebook using the aidptuils utility.

  1. Navigate to your notebook.
  2. Identify the field that requires a sensitive value. For example, an API key or password.
  3. Use aidputils to get the stored credential:
    • For a secret value, use My_key = myKey = aidputils.secrets.get(name=<<cred_name>>, key="key_name")
    • For a vault reference, use myKey = aidputils.secrets.get(name=<<cred_name>>, key=VaultSecretReference)
  4. Run the notebook. AI Data Platform Workbench resolves the secret at runtime.

Modify Credentials (Preview)

You can modify the name, description, or configuration of credentials in your Credential Store to keep them up-to-date.

  1. On the Home page, navigate to your Credential Store.
  2. Next to the Credential you want to modify, click Actions three dot icon Actions then click Edit. You can also click the credential name, then click Edit in the top right.
  3. Modify the name, description, or configuration details as needed.
  4. Click Save.

Share Credentials (Preview)

You can share credentials in your Credential Store and manage who can access them.

  1. On the Home page, navigate to your Credential Store.
  2. Click the name of the credential you want to share.
  3. Click the Permissions tab.
  4. Add or modify permissions for the credential as needed.
  5. Click Save.

Delete Credentials (Preview)

You can delete credentials from your Credential Store to remove unused or obsolete credentials.

  1. On the Home page, navigate to your Credential Store.
  2. Next to the Credential you want to modify, click Actions three dot icon Actions then click Delete. You can also click the credential name, then click Delete in the top right.
  3. Select Confirm deletion of credential.
  4. Click Delete.

View Credential Details (Preview)

You can view configuration, usage, and permission details for credentials in your Credential Store.

  1. On the Home page, click Credential Store in the left navigation pane.
  2. Click the name of the credential you want to view details for.
  3. Click the Usage tab to see history of how and when a credential was used and by whom.
  4. Click the Permissions tab to see which users or roles can access this credential and their access level.

View Credential Store History (Preview)

You can see a complete history of credentials in your Oracle AI Data Platform Workbench instance, including creation, modification, and deletion.

  1. On the Home page, click Credential Store in the left navigation pane.
  2. Click the History tab.
  3. Use the Type drop-down list or the Search field to filter the displayed credential events.
  4. Click an Event ID to see more details for that specific event.