Use Secret Manager to store sensitive data

Datastream integrates with Secret Manager to let you securely store authentication resources, such as source database passwords. Rather than use a plain text password when creating a connection profile, create and use a secret.

What are secrets

Secrets are global resources that contain metadata, such as labels, annotations, and permissions.

Secrets also have secret versions. Secret versions store the actual data for the secret resource, such as API keys, passwords, or certificates. Each version has a unique identifier or a timestamp.

How are secrets different from encryption keys

Managing secrets is equally important as managing encryption keys, however it focuses on a different area of data security. You might use one or the other, depending on your use cases and types of sensitive information that you store.

You would typically select secrets to securely store and manage your sensitive data as binary blobs or text strings. Secrets store the actual data, but to access it, you need specific permissions which are defined in the secrets metadata.

On the other hand, encryption keys are a better choice if you need to encrypt or decrypt data. You can't view or extract the actual cryptographic data that is used for encryption. Key management systems such as Cloud Key Management Service are typically used to manage more demending scenarios, for example encrypting rows in a database, or images and files.

If you need an additional layer of protection for your data, you can enable customer-managed encryption keys (CMEK), and use your own encryption keys stored in Cloud Key Management Service to secure secrets in Secret Manager. For more information about how to use CMEK with Datastream, see Use customer-managed encryption keys (CMEK).

Use Secret Manager with Datastream

To store your sensitive data for use with Datastream, you need to create a secret using Secret Manager. For more information, see Create a secret.

You can also create a secret when you define connection details for your connection profile. For detailed information, see Create connection profiles.

Required roles

To get the permissions that you need to use Secret Manager with Datastream, ask your administrator to grant you the Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) IAM role on the Datastream service account. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.