Manage Passwords

Manage Passwords


Overview

Many components in Matillion ETL require passwords to provide access to various services on behalf of the user. Users can input a password directly into a component and it will be stored securely within that component. However, if the user utilises multiple components, managing all the required passwords individually can become laborious, especially if those passwords change or expire regularly.

The password manager provides an alternative to individually stored component passwords. Password Manage allows the user to store passwords, paired with an identifying name. When a component requests a password, the identifying name can be entered and will draw the corrsponding password from the manager. Thereafter, if a password should change, the password need only be edited once in the Password Manager and not in individual components.

Important Information

  • Passwords can also be managed via the Matillion API—please refer to API v1 - Passwords for more details.
  • Passwords are stored at the Project Group level and can be shared with, and accessed from, all other projects within the same Group.​

Adding Encoded Passwords

  1. Click Project Manage Passwords to open the password manager pop-up window.

    Project menu

    Project menu"

  2. Then, click + at the bottom left of the Manage Passwords pop-up window.

    Manage Passwords

    Manage Passwords

  3. This will open the Create Password pop-up window. From here, provide details for the following fields:

    • Password Name: provide a descriptive name for the password to be stored
    • Password: provide the password to be stored
    • Encryption Type: select the password encryption type (in this example, Encoded will be used)
    • Description: provide a detailed description of the password and its use (this is optional), then click OK

    Please Note

    • "Encoded" passwords are encoded and stored in metadata. However, this data is not encrypted or hashed, merely obfuscated.
    • Other encryption options are available depending on the cloud platform in use. Please see below for these options.
    Create Password

    Create Password

  4. If created successfully, the new password will appear on list of passwords on the Manage Passwords pop-up window.

    Please Note

    It is possible to edit a password's description after creating a password. However, it is never possible to edit or recover a plaintext password through the password manager once it has been entered.

    Password successfully created

    Password successfully created


AWS Key Management Services (KMS)

When using Amazon Web Services (AWS), selecting KMS as the encryption type will reveal the following field:

  • Master Key: select one of the predefined AWS KMS Master Keys to encrypt the password.

Please Note

  • AWS KMS Master Keys must be set up through the associated AWS account (please refer to AWS Key Management Service Documentation for more details).
  • Environment credentials dictate Key availability. KMS Keys must be enabled and based in the same region as the Matillion ETL instance. Additionally, Matillion ETL must have the following IAM Roles: kms:ListAliases, kms:Encrypt and kms:Decrypt.

Error

If KMS is used for a password but is unavailable for any reason at a component's runtime, the component will fail as though an incorrect password had been entered.

Creating a password using AWS KMS

Creating a password using AWS KMS


GCP Key Management Services (KMS)

When using Google Cloud Platform (GCP), selecting KMS as the encryption type will reveal the following fields:

  • Project: select a Project associated with the GCP account
  • Location: select a Location within the above Project
  • Key Ring: select a Key ring within the above Location
  • Key: select a Key associated within the above Key Ring in which to store the password

Please Note

  • GCP KMS Keys must be set up through the associated GCP account (please refer to Creating symmetric keys for more details).
  • Environment credentials dictate from which GCP account the project (and thus Key and Key Ring) will be sourced. Additionally, Matillion ETL must have the following predefined roles: cloudkms.admin or viewer, and cloudkms.cryptoKeyEncrypterDecrypter.

Error

If KMS is used for a password but is unavailable for any reason at a component's runtime, the component will fail as though an incorrect password had been entered.

Creating a password using GCP KMS

Creating a password using GCP KMS


Azure Key Vault Store

When using Azure Synapse, selecting Key Vault Store as the encryption type will reveal the following field:

  • Encryption Algorithm: select the algorithm to be used to encrypt the password (this choice will not affect the other fields)
  • Resource Group: select the Resource Group in which the below Key Vault belongs
  • Key Vault: select the Key Vault in which the below Key is stored
  • Key: select the name of the Key to be used to encrypt the password

Please Note

  • Resource Groups, Azure Key Vaults and Keys must be predefined through the Azure Portal (please refer to Azure Key Vault documentation for more details).
  • The Matillion ETL instance must have at least Reader access to the Resource Group containing the selected Key Vault
  • Additionally, Key Vaults require separate access permissions requiring the Matillion ETL instance to also have Encrypt and Decrypt access to the Key Vault Key. Access to a Key Vault must be configured separately as permissions are not inherited—this can be done via Access policies.
Creating a password using Azure Key Vault Store

Creating a password using Azure Key Vault Store