Skip to main content

Secrets Management

Onehouse Secrets Management enables users to securely store, update and delete credentials required for Flow operations. Onehouse supports the following options:

  • Onehouse Managed Secrets (OMS) - Credentials are securely stored by Onehouse (default)
  • Bring Your Own Secrets (BYOS) - Credentials are stored in your cloud provider's secret manager

Key points:

  • By default, Onehouse Managed Secrets (OMS) is enabled, and users will not be able to use BYOS.
  • If BYOS is configured for your Onehouse project via Terraform or CloudFormation scripts, users will be able to use either OMS or BYOS.
  • After Source addition, credentials such as username/password, API keys etc. are shown as masked values in Source details and when editing the Source.

Onehouse Managed Secrets (OMS)

Credentials are securely stored by Onehouse. Users input relevant credential information like username/password, API keys etc. in the Onehouse UI for adding a source or a catalog.

Onehouse project uses Onehouse Managed Secrets by default, this is determined by credentialsManagementType=OMS config in the Terraform and CloudFormation scripts.

Refer to the account linking docs (AWS, GCP) for details on Terraform and CloudFormation configurations.

Credential Lifecycle Management

Pause Flows

Currently, users are expected to pause the Flows before making changes to the secret used in the Source configured for the Flow. The Flows should be resumed by the user after the change is done.

To update the credentials like username/password or key rotation use the "Edit" button.

Credential Type and relevant fields are enabled for editing on clicking the Edit button.

Deleting a Source also deletes all credentials used in that Source.

Usage

Use the "Credentials" option under the "Credential Type" in the "Add" or "Edit" Source.

Bring Your Own Secrets (BYOS)

Onehouse users can also store credentials as Secrets in the Secret Manager of the linked cloud account, i.e., AWS Secrets Manager or Google Cloud Secret Manager.

Use AWS Secrets Manager Console or Google Cloud Secret Manager console to create a new secret. Then add the Secret Resource Name in the Onehouse UI when creating a Onehouse Source.

Required Secret Tag

Secrets must have the tag accessibleTo set to onehouse for Onehouse to access them. Secrets without this tag will not be accessible.

To use BYOS, configure credentialsManagementType=BYOS in the Terraform or CloudFormation scripts. Refer to the account linking docs (AWS, GCP) for configuration details.

Onehouse gke_node_role (GCP) and eks_node_role (AWS) will be additionally granted read permissions to secrets stored in the Secret Manager of the linked cloud account during the onboarding process via Terraform or CloudFormation scripts.

Credential Lifecycle Management (BYOS)

Modifying and rotating secrets

Currently, users are expected to pause the Flows before making changes to the Secret used in the Source configured for the Flow. The Flows should be resumed by the user after the change is done. However, in case of Secret rotation, Onehouse will automatically pick up the new Secret in the connector, no pause/resume is required.

Editing the secret (BYOS)

You can modify or rotate the BYOS secrets by following the steps below:

  1. First pause the Flows that will be affected by the Secret change.
  2. Navigate to the Onehouse Source where the Secret was configured, click "Edit" and update the "Secret Resource Name".
  3. Click "Save" to update the Source with the new Secret.
  4. Resume any Flows that were previously paused.

Secret Deletion

You can delete the BYOS Secrets by following these steps:

  1. Before deleting a Secret, please ensure that Sources using the Secret are updated (with a new Secret)/deleted otherwise corresponding Flows will be impacted.
  2. To remove the Secret, delete the Secret using the Secret Manager console of the linked cloud account.

Usage

Use "Secret Manager" option under "Credential Type" in the "Add" or "Edit" Source.

BYOS Secret Formats

Each integration type requires credentials to be stored in a specific JSON format. See the documentation for your integration:

Data Sources

SourceDocumentation
Apache KafkaSecrets Management (BYOS)
Confluent KafkaSecrets Management (BYOS)
AWS MSK KafkaSecrets Management (BYOS)
Postgres CDCSecrets Management (BYOS)
MySQL CDCSecrets Management (BYOS)
Confluent CDCSecrets Management (BYOS)

Schema Registry

TypeDocumentation
Confluent Schema RegistrySecrets Management (BYOS)

Catalogs

CatalogDocumentation
DataHubSecrets Management (BYOS)

Using Secrets in Jobs

Onehouse Jobs can access secrets stored in your cloud provider's secret manager. This is useful when your jobs need to authenticate with external APIs, databases, or third-party services.

BYOS Only

Jobs currently only support Bring Your Own Secrets (BYOS). Onehouse Managed Secrets (OMS) are not yet supported for jobs.

See the Accessing AWS Secrets Manager guide for a complete Python example.