1. Home
  2. Guides
    1. Start
    2. Administer
    3. Analyze
    4. Configure
    5. Deploy
    6. Install
    7. Migrate
    8. Organize
    9. Secure
      1. Incorta Security Guide
      2. Secure Communication and Data
        1. Secure Tomcat
        2. Secure Zookeeper
        3. Encrypt Metadata Database Password
        4. Set the Session Timeout
        5. Encrypt Data
        6. Integrate with Secret Managers
      3. Configure SSO
      4. Secure Objects and Business Data
    10. Upgrade
    11. Visualize
  3. Concepts
  4. Tools
  5. References
  6. Integrations
  7. Data applications
  8. Release Notes
  9. Incorta Premium

Guides → Integrate with Secret Managers

Overview

Starting with the 2025.7.0 release, Incorta can integrate with external secret managers, specifically Azure Key Vault or Google Secret Manager, to enhance security and credential management across the platform.

Key Benefits

  • Enhanced security: Eliminate storing sensitive credentials (authentication keys, passwords, tokens) in the Incorta metadata database or materialized view (MV) code
  • Centralized management: Manage secrets in a single location and share them securely across data integration tools and pipelines
  • Policy enforcement: Apply security policies such as mandatory credential rotation, expiration, and audit logging through your secret manager

Integration prerequisites and setup

Azure Key Vault

Follow these high-level steps to prepare Azure Key Vault for integration:

  1. Create or access a key vault in your Azure subscription.

    • Record the Vault URI (Service URL) and Directory ID (Tenant ID) from the key vault’s Overview page.
  2. Register an application (service principal) in Microsoft Entra ID.
    • Record the Application ID (Client ID).

  3. Grant access to the application by assigning it the Key Vault Secrets User role.

  4. Generate a client secret for the application.

    Important

    Copy the Client Secret value immediately after creation, as it will not be displayed again.

  5. Create secrets in your key vault for your credentials. Use clear, meaningful names, as you will reference these names in Incorta data sources or MVs.

Google Secret Manager

Follow these high-level steps to prepare Google Secret Manager for integration:

  1. Create or access a Google Cloud project, and note the Project ID.
  2. Enable the Secret Manager API in your Google Cloud project.
  3. Create or use a service account in your project, or contact Incorta Support for your cluster’s service account.
  4. Grant the selected service account access by assigning the Secret Manager Secret Accessor role to it.
  5. If using your own service account, create a JSON key for it.
  6. Create secrets in the Secret Manager for your credentials. Use clear, meaningful names, as you will reference these names in Incorta data sources or MVs.

Configure your Incorta Cluster

After preparing your secret manager, complete the integration via the CMC:

  1. Sign in to the CMC as the cloud or CMC administrator.
  2. Select Clusters, then select your cluster.
  3. Navigate to Cluster Configurations > Server Configurations > Secret Manager.
  4. In Secret Manager, select your provider: Azure Key Vault or Google Secret Manager.
  5. Enter the required configuration details for your provider, and then save your changes.

Azure Key Vault configurations

ConfigurationDescription
Service URLEnter the Vault URI displayed on your key vault Overview page.
Client IDEnter the Application ID of your registered application (service principal).
Client SecretEnter the value of the secret displayed when generating a secret for your registered application.
Tenant IDEnter the Directory ID displayed on your key vault Overview page.

Google Secret Manager configurations

ConfigurationDescription
Authenticate using a custom service accountEnable this option to use your own service account or disable it to use Incorta's service account.
Project IDEnter the Project ID of your Google Cloud project.
Service Account CredentialsPaste the content of the JSON key file generated for your service account.
Note: This configuration is required only if you are using your own service account.

How to reference secrets saved on your secret manager

In data sources and destinations

When a secret manager is configured, a Use Secret Manager checkbox appears next to sensitive credential fields (passwords, tokens, keys) in data source and data destination configuration screens.

To use a secret:

  1. Select the Use Secret Manager checkbox. The field label changes to include "Identifier", and the field value is cleared.
  2. Enter the secret name (not the secret value) exactly as defined in your secret manager.

During table discovery and extraction, Incorta automatically retrieves the secret value from the configured secret manager.

In materialized views

Retrieve credentials from the secret manager within MVs using the following functions:

MV LanguageFunction
Spark Pythonget_secret(secret_key: String) Example: API_KEY = get_secret("WeatherAPI")
Spark RgetSecret(secretKey: String)
Spark ScalagetSecret(secretKey: String)