OpenMetadata/openmetadata-docs/content/connectors/credentials/index.md

---
title: Managing Credentials
slug: /connectors/credentials
---

# Manging Credentials in the CLI

When running Workflow with the CLI or your favourite scheduler, it's safer to not have the services' credentials
at plain sight. For the CLI, the ingestion package can load sensitive information from environment variables.

For example, if you are using the [Glue](/connectors/database/glue) connector you could specify the
AWS configurations as follows in the case of a JSON config file

```json
[...]
"awsConfig": {
    "awsAccessKeyId": "${AWS_ACCESS_KEY_ID}",
    "awsSecretAccessKey": "${AWS_SECRET_ACCESS_KEY}",
    "awsRegion": "${AWS_REGION}",
    "awsSessionToken": "${AWS_SESSION_TOKEN}"
},
[...]
```

Or

```yaml
[...]
awsConfig:
  awsAccessKeyId: '${AWS_ACCESS_KEY_ID}'
  awsSecretAccessKey: '${AWS_SECRET_ACCESS_KEY}'
  awsRegion: '${AWS_REGION}'
  awsSessionToken: '${AWS_SESSION_TOKEN}'
[...]
```

for a YAML configuration.

## AWS Credentials

The AWS Credentials are based on the following [JSON Schema](https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-spec/src/main/resources/json/schema/security/credentials/awsCredentials.json).
Note that the only required field is the `awsRegion`. This configuration is rather flexible to allow installations under AWS
that directly use instance roles for permissions to authenticate to whatever service we are pointing to without having to
write the credentials down.

### AWS Vault

If using [aws-vault](https://github.com/99designs/aws-vault), it gets a bit more involved to run the CLI ingestion as the credentials are not globally available in the terminal.
In that case, you could use the following command after setting up the ingestion configuration file:

```bash
aws-vault exec <role> -- $SHELL -c 'metadata ingest -c <path to connector>'
```

## GCS Credentials

The GCS Credentials are based on the following [JSON Schema](https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-spec/src/main/resources/json/schema/security/credentials/gcsCredentials.json).
These are the fields that you can export when preparing a Service Account.

Once the account is created, you can see the fields in the exported JSON file from:

```
IAM & Admin > Service Accounts > Keys
```

You can validate the whole Google service account setup [here](/deployment/security/google).
Docs - Credentials, links and Roadmap (#6870) * Managing credentials * GCS creds info * Links and roadmap update * Add lineage in the menu 2022-08-23 11:53:40 +02:00			`---`
			`title: Managing Credentials`
Fix Menu , Connectors should've its own section after deployment (#7950) * Fix Menu * Fix broken links * Fix config values * Fix config values 2022-10-05 21:54:02 -07:00			`slug: /connectors/credentials`
Docs - Credentials, links and Roadmap (#6870) * Managing credentials * GCS creds info * Links and roadmap update * Add lineage in the menu 2022-08-23 11:53:40 +02:00			`---`

			`# Manging Credentials in the CLI`

			`When running Workflow with the CLI or your favourite scheduler, it's safer to not have the services' credentials`
			`at plain sight. For the CLI, the ingestion package can load sensitive information from environment variables.`

Fix Menu , Connectors should've its own section after deployment (#7950) * Fix Menu * Fix broken links * Fix config values * Fix config values 2022-10-05 21:54:02 -07:00			`For example, if you are using the [Glue](/connectors/database/glue) connector you could specify the`
Docs - Credentials, links and Roadmap (#6870) * Managing credentials * GCS creds info * Links and roadmap update * Add lineage in the menu 2022-08-23 11:53:40 +02:00			`AWS configurations as follows in the case of a JSON config file`

			```json
			`[...]`
			`"awsConfig": {`
			`"awsAccessKeyId": "${AWS_ACCESS_KEY_ID}",`
			`"awsSecretAccessKey": "${AWS_SECRET_ACCESS_KEY}",`
			`"awsRegion": "${AWS_REGION}",`
			`"awsSessionToken": "${AWS_SESSION_TOKEN}"`
			`},`
			`[...]`
			```

			`Or`

			```yaml
			`[...]`
			`awsConfig:`
			`awsAccessKeyId: '${AWS_ACCESS_KEY_ID}'`
			`awsSecretAccessKey: '${AWS_SECRET_ACCESS_KEY}'`
			`awsRegion: '${AWS_REGION}'`
			`awsSessionToken: '${AWS_SESSION_TOKEN}'`
			`[...]`
			```

			`for a YAML configuration.`

Fix headings (#8423) 2022-10-28 16:49:22 +02:00			`## AWS Credentials`
Docs - Credentials, links and Roadmap (#6870) * Managing credentials * GCS creds info * Links and roadmap update * Add lineage in the menu 2022-08-23 11:53:40 +02:00
Fixes #7661 404 links in documentation (#7700) 2022-09-23 15:09:46 -07:00			`The AWS Credentials are based on the following [JSON Schema](https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-spec/src/main/resources/json/schema/security/credentials/awsCredentials.json).`
Docs - Credentials, links and Roadmap (#6870) * Managing credentials * GCS creds info * Links and roadmap update * Add lineage in the menu 2022-08-23 11:53:40 +02:00			Note that the only required field is the `awsRegion`. This configuration is rather flexible to allow installations under AWS
			`that directly use instance roles for permissions to authenticate to whatever service we are pointing to without having to`
			`write the credentials down.`

Fix headings (#8423) 2022-10-28 16:49:22 +02:00			`### AWS Vault`
Docs - Credentials, links and Roadmap (#6870) * Managing credentials * GCS creds info * Links and roadmap update * Add lineage in the menu 2022-08-23 11:53:40 +02:00
			`If using [aws-vault](https://github.com/99designs/aws-vault), it gets a bit more involved to run the CLI ingestion as the credentials are not globally available in the terminal.`
			`In that case, you could use the following command after setting up the ingestion configuration file:`

			```bash
			`aws-vault exec <role> -- $SHELL -c 'metadata ingest -c <path to connector>'`
			```

Fix headings (#8423) 2022-10-28 16:49:22 +02:00			`## GCS Credentials`
Docs - Credentials, links and Roadmap (#6870) * Managing credentials * GCS creds info * Links and roadmap update * Add lineage in the menu 2022-08-23 11:53:40 +02:00
Fixes #7661 404 links in documentation (#7700) 2022-09-23 15:09:46 -07:00			`The GCS Credentials are based on the following [JSON Schema](https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-spec/src/main/resources/json/schema/security/credentials/gcsCredentials.json).`
Docs - Credentials, links and Roadmap (#6870) * Managing credentials * GCS creds info * Links and roadmap update * Add lineage in the menu 2022-08-23 11:53:40 +02:00			`These are the fields that you can export when preparing a Service Account.`

			`Once the account is created, you can see the fields in the exported JSON file from:`

			```
			`IAM & Admin > Service Accounts > Keys`
			```

Fix Doc links (#7734) * Fix Broken links * Fix symlink Co-authored-by: Pere Miquel Brull <peremiquelbrull@gmail.com> 2022-09-28 14:05:51 -07:00			`You can validate the whole Google service account setup [here](/deployment/security/google).`