Secret management
Secret management in Self-Deployed Runtime ensures that credentials for source systems never leave your environment. By integrating with your existing secret vaults and fetching credentials just-in-time, the runtime can authenticate with databases and applications without exposing sensitive credentials to external systems, including Atlan SaaS.
How credentials are protected
Self-Deployed Runtime deployed applications integrate with enterprise secret vaults for successful source system authentication. The key principle is that secrets are never stored locally or sent to Atlan and remain entirely within your organization's security perimeter.
Supported secret stores include:
- AWS Secrets Manager
- Azure Key Vault
- GCP Secret Manager
- HashiCorp Vault
- Others supported secret stores
How it works
Secrets (like database credentials) are fetched just-in-time via Dapr when the App needs to connect to source systems. This dynamic access means credentials are only in memory during the specific authentication operation, then immediately discarded.
The secret management makes sure that credentials remain entirely within your organization's security perimeter through:
- No local storage or transmission: Secrets are never stored locally or sent to Atlan
- Network isolation: Network isolation for secret store access
- Access controls: Access controls with principle of least privilege
- Audit logging: Audit logging for all secret access and modifications
- Regular reviews: Regular access reviews and backup/disaster recovery for secret stores
See also
- Authentication: How OAuth 2.0 credentials work with Atlan services.
- Security: Overall security architecture and controls.