Secret providers
Note
This feature is available in Lite, Enterprise, Ultimate and Team editions only.
Overview
DBeaver supports cloud-based secret providers from AWS Secrets Manager and HashiCorp Vault.
Before configuring a secret provider in DBeaver, ensure that:
- AWS Secrets Manager or HashiCorp Vault is set up.
- You have the necessary access permissions.
Configuring secret provider
- Open Window -> Preferences -> Connections -> Secret providers.
- Click Add.
- Select a provider from the dropdown menu and click OK.
AWS secret provider settings
-
Fill in the required fields.
Field Description Name Identifier for the secret configuration in DBeaver. Cloud AWS configuration settings. For more details on configuring AWS Cloud in DBeaver, see AWS Cloud Explorer. Region AWS region where secrets are stored. -
Click OK and Apply and Close to save the configuration.
Vault secret provider settings
-
Fill in the required fields.
Field Description Provider Identifier for the secret configuration in DBeaver. Name Unique name for this secret configuration. Server URL of the Vault server used to retrieve secrets. Authentication Type Select an authentication type ( Token
,OAuth2
,Password
). -
Click OK and Apply and Close to save the configuration.
- Import certificate if required.
Authentication types
Password authentication
Use a username and password to authenticate with the Vault server.
Field | Description |
---|---|
Username | Username for authentication. |
Password | Password for authentication. |
Token authentication
Use an authentication token to access the Vault server.
Field | Description |
---|---|
Token | Authentication token required to access the Vault server. |
OAuth2 configuration
When you select OAuth2
, Vault authentication is configured using a JWT (JSON Web Token) obtained from the OAuth2
provider after user login.
Info
Make sure your OAuth2 provider is configured to issue JWTs, and Vault is set up to validate them. The JWT must include the required claims for Vault role mapping.
Field | Description |
---|---|
JWT provider ID | Path where the JWT authentication method is enabled in Vault, for example, auth/jwt/ . |
JWT role | Vault role name to match against a claim in the JWT token. |
Auth URL | OAuth2 Authorization endpoint (for example, https://example.com/oauth2/authorize ). |
Token URL | OAuth2 Token endpoint (for example, https://example.com/oauth2/token ). |
Callback port | Local port used to receive the OAuth2 authorization code. Default: 8000 . |
Callback URL | Full callback URL automatically generated using the port. Example: http://localhost:8000/callback . |
Client ID | OAuth2 client ID registered in your OAuth2 provider. |
Client secret | OAuth2 client secret registered in your OAuth2 provider. |
Info
For details on configuring JWT authentication in Vault, see Configuring JWT authentication.
Configuring JWT authentication
JWT authentication requires an external Single Sign-On (SSO) provider (e.g., Okta) because Vault does not generate JWTs internally. It works with any OpenID Connect (OIDC) provider that issues JWT tokens.
This configuration happens on the Vault side and includes setting up authentication methods, validation rules, and role mappings.
-
Enable the JWT authentication method in Vault.
- Enable JWT authentication.
- Configure JWT validation settings, such as issuer and audience.
-
Create a role in Vault.
- Vault does not assign roles automatically.
- Use the API to create a role.
- Define policies and specify claims for user identification.
a. Configure role assignment in the SSO provider.
- Ensure your SSO provider includes user roles in the JWT.
Info
Use the SSO providerās documentation to configure role claims.
b. Match the Vault Role Claim with a JWT claim.
- The Vault Role Claim field should match the custom claim in the JWT token.
- If it does not match, authentication will fail.
Info
See the Vault documentation for more details.
Creating a connection
- Start creating a connection
-
In the Create Connection wizard, go to the Main tab, choose secret provider configuration and enter the secret name in the Secret parameters field.
Info
The secret name must match the name stored in AWS Secrets Manager or HashiCorp Vault:
- For Vault, use the following format
secret/your_secret_name
. - For AWS, use
your_secret_name
.
- For Vault, use the following format
-
If the secret doesnāt include all required details (such as the
host
orport
), enter them manually in the connection settings. - Click the Test Connection button to verify your settings. If configured correctly, DBeaver will establish a connection using the Secret Provider.
- Click Finish to save the connection.