Secret requirements

This guide explains:

which fields are read from a secret provider and mapped to connection configuration.
how to reference a secret by name in the Connection wizard.
how to troubleshoot common issues.

A secret must contain connection parameters with names and values that match the selected database driver. These values are applied to connection settings at runtime.

Tip

For a step-by-step example, see Set up a secret provider.

Supported fields¶

Team Edition reads connection parameters from key-value pairs in a secret and applies them to connection settings. The secret must use key-value format.

Important

Key names must match driver connection parameter names. For information on driver-specific parameters, see your database driver documentation.
Values from the secret override values entered in the connection configuration.

Type	Description
Connection parameters	Standard connection settings such as host, port, database, or URL.
Credentials	Authentication settings such as username and password.
Driver properties	Additional parameters supported by the selected database driver.

Field mapping example¶

Secret:

{
  "host": "db.example.com",
  "port": 5432,
  "user": "admin",
  "password": "password"
}

Connection settings:

Host -> db.example.com
Port -> 5432
Username -> admin
Password -> password

Secret name format¶

When creating a connection, select a secret provider and enter the secret name in the Secret parameters field.

The value must match the identifier used in your provider.

For HashiCorp Vault, use the full secret path (for example, secret/demo-db).
For AWS Secrets Manager, use the secret name (for example, my-secret).
For CyberArk Conjur, use the full variable path (for example, db/postgres/demo-db).

Troubleshooting¶

Incorrect secret path¶

If the secret path does not match the location in your provider:

Verify the path format for your provider.
For Vault, use the full path (for example, secret/dvdrental).

Missing permissions¶

If the current authentication does not have access to the secret:

Check token or role policies.
Ensure the path is allowed (for Vault KV v2 - secret/data/...).

Incorrect keys¶

If the secret uses incorrect keys, verify key names match driver parameters.

CyberArk Conjur SSL certificate is not trusted¶

If the connection fails with PKIX path building failed:

Import the CA certificate.
Or enable Trust Certificate in provider settings.

DBeaver Enterprise

DBeaver Ultimate

DBeaver Lite

CloudBeaver Enterprise

DBeaver Team Edition

dbvr

See DBeaver in action

Buy

License types

Academic licenses

Choose your product

DBeaver Desktop Products