Manage Repository Information in ALTR's Control Plane
ALTR refers to databases protected by sidecars as repositories. Repositories must be registered in ALTR so that sidecars can facilitate secure connections between data consumers and databases.
Database credentials are referred to as repository users. Repository users must be registered in ALTR to enable data consumers to connect to repositories using single sign-on (SSO). When connecting via SSO, credentials are never directly surfaced to data consumers. Access to connect using repository users is controlled by impersonation policies in ALTR.
Note
Sidecar integration requires some one-time setup steps (installing the sidecar, configuring secrets, creating repositories, setting up RSA keys, etc.). Please contact ALTR Support to get started. Our team will walk you through the setup before you begin configuring ALTR.
ALTR’s sidecar securely accesses credentials using AWS Secrets Manager or Azure Key Vault.
AWS Secrets Manager
To be accessible by a sidecar, secrets objects must be stored as an “other” type of secret with the credential password stored as plaintext.
To access an AWS secrets object, sidecars must have IAM access to the relevant secrets. Ensure that any installed sidecars have the DescribeSecret and GetSecretValue privileges for all secrets that the sidecar might use when connecting facilitating user connections via impersonation policies.
Azure Key Vault
To be accessible by a sidecar, the credential password must be stored as plaintext.
To access a secret, enable system identity, then grant permissions to the secret. Make sure the sidecar is running in Azure, has identity available to it, can authenticate to the key vault and has access to the secret.