Manage Passwords

Manage Passwords


Overview

For information on managing passwords via the API, see v1 API - Passwords.

Many of the components in Matillion ETL require passwords to provide access to various services on behalf of the user. Users can input a password directly into a component and it will be stored securely within that component.

However, if the user is utilising many components, manually entering passwords can be laborious. Furthermore, if those passwords change, the user will need to manually edit each component to rectify that password.

Instead, the Password Manager can store passwords, each paired with an identifying name. When a component requests a password, the name of a stored password can be entered and will draw a password from the manager. Thus, if that password should change, the user need only edit the value in the Password Manager and not the individual components.

Note: Passwords are stored at the Project Group level and thus will be shared with, and accessible from, all other projects within that same group.​

The Password Manager can be accessed through Project → Manage Passwords.



Adding Passwords

Clicking the + button will add a new password to the list, opening a new dialog box.

New passwords require fields that are dependent on the cloud platform being used due to differences in key management. All platforms have the fields:

  • Name: Choose an arbitrary name for your password.
  • Password: Create an arbitrary password.
  • Description: An optional, arbitrary description of this password.
  • Encryption Type: Choose between Encoded and the key management service your cloud platform offers.
    • Encoded password entries are encoded and stored in metadata. Please note that this data is NOT encrypted or hashed - merely obfuscated.
    • Encrypted Password options depend on the key management system your cloud platform uses. These are detailed below.
    • If KMS is used for a password but is unavailable for any reason at a component's runtime, the component will fail as though an incorrect password had been entered.

Clicking OK will save the password to the Password Manager, and it will appear on the list with other saved passwords. You can edit these password descriptions by clicking the pencil icon. You can edit the passwords themselves by clicking the padlock icon.

Note: It is NEVER possible to recover a plaintext password through Matillion ETL's password manager once it has been entered.


AWS KMS

It is possible to store passwords using AWS's Key Management Service (KMS). Selecting this option will reveal additional properties:

  • Master Key: Select the AWS KMS Master Key that will be used to encrypt the password. These must be set up on your AWS account, not through Matillion ETL.

For any additional help creating Keys, we suggest reading AWS's documentation here.

Note: the Environment Credentials (Managing Credentials) dictates key availability. KMS Keys must be in the same Region as your Matillion ETL instance and enabled. Matillion ETL requires the following IAM Roles:

  • kms:ListAliases
  • kms:Encrypt
  • kms:Decrypt

GCP KMS

It is possible to store passwords using Google's Key Management Service. Selecting this option will reveal additional properties:

  • Project: Select your GCP Project. This variable correlates with your GCP account.
  • Location: Select a Location. This variable correlates with your GCP account.
  • Key Ring: Choose your Key Ring. This variable correlates with your GCP account.
  • Key: Choose your Key to keep your password in. This variable correlates with your GCP account.

For any additional help creating Key Rings and Keys, we suggest reading Google Cloud's documentation here.

Note: the Environment Credentials (Managing Credentials) dictate which GCP account is the source of your Project (and thus Key Rings and Keys) and requires relevant predefined roles:

  • cloudkms.admin (or viewer)
  • cloudkms.cryptoKeyEncrypterDecrypter

Azure KeyVault

It is possible to store passwords using Azure Key Vault. Selecting the "Key Vault Store" option will reveal additional properties:

  • Encryption Algorithm: The algorithm to use to encrypt your password. This choice does not affect the available Resource Groups, Key Vaults or Keys.
  • Resource Group: The resource group that your Key Vault belongs to.
  • Key Vault: The Key Vault containing your desired key.
  • Key: The name of the key used to encrypt this password.

For any additional help creating Keys, we suggest reading Azure Key Vault documentation here.

Note: the Environment Credentials (Managing Credentials) dictates key availability. Your instance must have access to Key Vault and Keys, see Azure Roles & Permissions for more information.