Secret requirements

This guide explains:

which fields are read from a secret provider and mapped to connection configuration.
how to reference a secret by name when creating a datasource.

A secret must contain connection parameters with names and values that match the selected database driver. These values are applied to connection settings at runtime.

Tip

For a step-by-step example, see Set up a secret provider.

Supported fields¶

reads connection parameters from key-value pairs in a secret and applies them to connection settings. The secret must store data in key-value format.

Important

Key names must match driver connection parameter names. For information on driver-specific fields, see your database driver documentation.
Values from the secret override values entered in the connection configuration.

Type	Description
Connection parameters	Standard connection settings such as host, port, database, or URL.
Credentials	Authentication settings such as username and password.
Driver properties	Additional parameters supported by the selected database driver.

Field mapping example¶

Secret:

{
  "host": "db.example.com",
  "port": 5432,
  "user": "admin",
  "password": "password"
}

Connection settings:

Host -> db.example.com
Port -> 5432
Username -> admin
Password -> password

Secret name format¶

When creating a datasource, pass --secret-manager <id> and --secret-name <name> to datasource create or datasource update.

The name must match the identifier used in your provider.

For HashiCorp Vault, use the full secret path (for example, secret/demo-db).
For AWS Secrets Manager, use the secret name (for example, my-secret).
For CyberArk Conjur, use the full variable path (for example, app/dev/db/password).

DBeaver Enterprise

DBeaver Ultimate

DBeaver Lite

CloudBeaver Enterprise

DBeaver Team Edition

dbvr

See DBeaver in action

Buy

License types

Academic licenses

Choose your product

DBeaver Desktop Products