2.1.2.4 Stored Credentials

Note:

This feature is applicable only for EDQ 12.2.1.4.1 release.

The Stored Credentials tab allows you to store sets of credentials that EDQ can use to access external systems with high security, such as cloud data storage systems, so that you can use them in file download and upload tasks configured in EDQ, and when calling web services that require the same authentication.

This tab displays the following details of the stored credentials:

• Name - A name for the set of stored credentials. This name is used to select the credentials when configuring tasks to use them in Director.
• Credentials Type - One of the known types of external system that EDQ can authenticate with, such as - Oracle Object Store (OCI), AWS, Azure Storage, OAuth2 Client Credentials and Google Cloud Platform.
• Description - A short description of the set of stored credentials.

This tab allows you to perform the following functions:

• Create New Stored Credentials
• Edit the details of existing Stored Credentials
• Delete existing Stored Credentials

2.1.2.4.1 Creating Stored Credentials

To create a new set of stored credentials, click the Add Stored Credentials icon, above the Stored Credentials table.

In the Create Stored Credentials screen:

From the Credentials Type list box, select the required type of stored credentials that you wish to create. You can select from any of the following stored credentials types and configure the details of the newly created set of stored credentials based on the selected credential types:

• Oracle Cloud Infrastructure (OCI) APIs, including Object Store
• Amazon Web Services (AWS) APIs, including S3
• Microsoft Azure Storage Accounts
• Generic OAuth2 Client Credentials
• Google Cloud Platform (GCP) APIs, including object storage

Note:

You can click OK to save the created set of stored credentials, only after filling-in all the mandatory fields marked with an asterisk (*).

The newly created set of stored credentials gets added to the existing set of stored credentials listed in the Stored Credentials table.

2.1.2.4.1.1 Creating OCI Stored Credentials

When you select OCI from the Credentials Type list box the following options appear:

1. Credentials Name - A name for the set of OCI stored credentials. This name is used to select the credentials when configuring tasks to use them in Director.
2. Description - A short description of the set of OCI stored credentials.
3. Tenancy OCID - The unique Oracle Cloud ID of your OCI tenancy. You can find this in the Tenancy Details page under Administration on the OCI console. For example - ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f44n2b2m2yt2j6rx32uzr4h25vqstifsfdsq
4. User OCID - Oracle-assigned unique ID for the user. Get the user's OCID in the Console on the page showing the user's details. To get to that page:
   • If you are signed in as the user: Open the Profile menu (User menu icon) and click User Settings.
   • If you are an administrator doing this for another user: Open the navigation menu. Under Governance and Administration, go to Identity and click Users. Select the user from the list. For more information on OCIDs, refer to Resource Identifiers.
5. Private Key File - A private key is paired with a public key to authenticate servers through text encryption and decryption. Use OpenSSL commands to generate the key pair in the required PEM format. If you're using Windows, you'll need to install Git Bash for Windows and run the commands with that tool. For more information on this, refer to Required Keys and OCIDs. Click the Private Key File text box, to upload the generated private key file.
6. Passphrase - A passphrase is a word or phrase that helps to protect private key files. It prevents unauthorized users from unlocking them. If the private key is encrypted, enter the passphrase here.

After entering the required details, click OK.

2.1.2.4.1.2 Creating AWS Stored Credentials

When you select AWS from the Credentials Type list box, the following options appear :

1. Credentials Name - A name for the set of AWS stored credentials. This name is used to select the credentials when configuring tasks to use them in Director.
2. Description - A short description of the set of AWS stored credentials.
3. Access Key- Enter the Access key ID associated with the AWS account. For more information on managing Access keys, refer to Managing Access Keys for IAM Users.
4. Access Secret - Enter the Access secret associated with the Access key.
5. Region - AWS region. The majority of AWS service URLs include the region and service name. For example: https://bucket.s3.us-east-2.amazonaws.com/test.html. Here the region is us-east-2 and the service is S3. If the URL you are using contains the region and service then, you can leave these fields empty. Some services (for example API gateway) allow a custom domain name in the URL. For these URLs the region and service cannot be obtained from the URL and must be entered here.
6. Service - Specify the name of the required AWS simple storage service or leave this field blank if the service details can be retrieved from the URL.

After entering the required details, click OK.

2.1.2.4.1.3 Creating Azure Storage Credentials

When you select Azure Storage from the Credentials Type list box, the following options appear :

1. Credentials Name - A name for the set of Azure stored credentials. This name is used to select the credentials when configuring tasks to use them in Director.
2. Description - A short description of the set of Azure stored credentials.
3. Account Name - Enter your Azure storage account name details in the Account Name text box.
4. Access Key - Enter the access key for the Azure storage account.
5. API Version - The version number of Azure API that connects EDQ to Azure storage. The default value is 2018-03-28.

After entering the required details, click OK.

2.1.2.4.1.4 Creating OAuth2 Client Credentials

OAuth2 stored credentials support the client credentials grant mechanism, used primarily with calls to REST APIs. When you select OAuth2 Client Credentials from the Credentials Type list box, the following options appear:

1. Credentials Name - A name for the set of OAuth2 Client stored credentials. This name is used to select the credentials when configuring tasks to use them in Director.
2. Description - A short description of the set of OAuth2 Client stored credentials.
3. Client ID & Client Secret- When a client application is registered with an OAuth2-protected application, a client ID and client secret are generated.
4. Scope - Enter the scope string required to access the target resource. The scope is dependent on the API and can be obtained from the specific service documentation.
5. Token Request URI - Enter the URI for the token request service for the target resource. The URI can be obtained from the the specific service documentation.
6. Supply Client ID in - Client information can be sent in two ways, either as a part of Request Parameters or in the Authentication Header. Select between either of these two options.

After entering the required details, click OK.

2.1.2.4.1.5 Creating Google Cloud Platform Stored Credentials

When you select Google Cloud Platform from the Credentials Type list box, the following options appear :

1. Credentials Name - A name for the set of Google Cloud Platform stored credentials. This name is used to select the credentials when configuring tasks to use them in Director.
2. Description - A short description of the set of Google Cloud Platform stored credentials.
3. Authentication Method - Select the authentication method for the set of Google Cloud Platform stored credentials. It can be -
   • OAuth2 - This authentication method is used to call Google Cloud REST APIs. A scope is required to identify the permissions required for the call.
   • OpenID Connect - This authentication method is used to call resources secured by an Identity-Aware Proxy (IAP) and to invoke Functions. A target audience claim is required to identify the target.

4. Note:

   This field is applicable only for OAuth2 authentication method.
   Scope - Scope is a mechanism in OAuth 2.0 to limit an application's access to resources. Specify the required scope here. For example the scope https://www.googleapis.com/auth/cloud-platform grants access to all resources.

5. Note:

   This field is applicable only for Open ID Connect authentication method.
   Target Audience - The App ID of the target app that the user is signing into. Specify your target audience here.
6. Service Account Key File - A service account is a special type of Google account intended to represent a non-human user that needs to access data in GCP APIs. For more information, refer to Service accounts . A service account has an associated JSON key file. Drag and drop the key file to the entry box, or browse to the location.

After entering the required details, click OK.

2.1.2.4.2 Editing Stored Credentials

To edit the details of the existing stored credentials, select the set of stored credentials that you wish to edit and click the Edit Stored Credentials icon, above the stored credentials table.

Edit Stored Credentials screen appears allowing you to edit the details of the existing set of stored credentials.

After editing the required credential details, click OK.

2.1.2.4.3 Deleting Stored Credentials

To delete a set of stored credentials, select the set of stored credentials that you wish to delete and click the Delete Stored Credentials icon, above the stored credentials table.

Delete Stored Credential confirmation dialog appears seeking your confirmation. Click OK.

The selected set of stored credentials is deleted.