Secret Providers

Note: This feature is available in Enterprise, AWS, Team editions only.

Overview

CloudBeaver supports secret providers from AWS Secrets Manager and HashiCorp Vault. Secrets can store any connection-related data, such as the host, port, and database name.

Before configuring a secret provider in CloudBeaver, ensure that:

AWS Secrets Manager or HashiCorp Vault is set up.
You have the necessary access permissions.

Note: If a secret is configured, it takes priority over other authentication settings.

Configuring a secret provider

Before setting up a secret provider, you need to enable secret management:

Go to Settings -> Administration -> Server Configuration.
In the Configuration section, select Enable Secret Management.
Click Save.

After enabling secret management, a Secret Management tab appears. You can now add a provider.

Add a secret provider

Open Secret Management tab.
Click + Add.
Select a provider from the dropdown menu.

AWS secret provider settings

Fill in the required fields.

Field	Description
ID	Enter a unique identifier for the configuration.
Configuration name	Enter a descriptive name for this configuration.
Description	Provide a brief description of this secret provider configuration.
CloudId	AWS configuration settings. For more details on configuring AWS Cloud in CloudBeaver, see AWS Cloud Explorer.
Region	AWS region where secrets are stored.

Click Create to save the configuration.

Vault secret provider settings

Fill in the required fields.

Field	Description
ID	Enter a unique identifier for the configuration.
Configuration name	Enter a descriptive name for this configuration.
Description	Provide a brief description of this secret provider.
Authentication Type	Select an authentication type (`TOKEN`, `JWT`, `USERNAME_PASSWORD`).

Note: When using USERNAME_PASSWORD or TOKEN authentication, all users will have the same level of access to all secrets. If you need access control with different permissions for users, use JWT authentication.

Click Create to save the configuration.

Authentication types

Username/password authentication

Use a username and password to authenticate with the Vault server.

Field	Description
Username	Username for authentication.
Password	Password for authentication.

Token authentication

Use an authentication token to access the Vault server.

Field	Description
Token	Authentication token required to access the Vault server.

JWT authentication

Use a JSON Web Token (JWT) for authentication.

Field	Description
Vault server URL	URL of the Vault server used to retrieve secrets.
Vault JWT Provider ID	Identifier for the JWT provider created on the Vault side (`Auth Method` in Vault).
Vault Role Claim	The value of the role name in the JWT token where the custom role is stored. See the configuration steps below.

Configuring JWT authentication

JWT authentication requires an external Single Sign-On (SSO) provider (e.g., Okta)
because Vault does not generate JWTs internally. It works with any OpenID Connect (OIDC) provider.

Note: You must be logged into CloudBeaver with the same authentication provider that Vault is configured with. For instance, if Vault is set up with Okta, you must log in through Okta—logging in through a different provider, like Google, will not work.

Enable the JWT authentication method in Vault.
- Enable JWT authentication.
- Configure JWT validation settings, such as issuer and audience.
Create a role in Vault.
- Vault does not assign roles automatically.
- Use the API to create a role.
- Define policies and specify claims for user identification.
1. Configure role assignment in the SSO provider.
  - Ensure your SSO provider includes user roles in the JWT.
  Use the SSO provider’s documentation to configure role claims.
2. Match the Vault Role Claim with a JWT claim.
  - The Vault Role Claim field should match the custom claim in the JWT token.
  - If it does not match, authentication will fail.

See the Vault documentation for more details.

Creating a connection

Start creating a connection
In the Create Connection wizard, go to the Main tab, choose a secret provider configuration and enter the secret name in the Settings field.
The secret name must match the name stored in AWS Secrets Manager or HashiCorp Vault:
- For Vault, use the following format secret/your_secret_name.
- For AWS, use your_secret_name.
If the secret doesn’t include all required details (such as the host or port), enter them manually in the connection settings.
Click the Test button to verify your settings. If configured correctly, CloudBeaver will establish a connection using the Secret Provider.
Click Create to save the connection.

CloudBeaver - Web Database Manager

CloudBeaver Documentation

User Guide

Application overview
License Management
Demo Server
Administration
- Server configuration
- Create Connection
- Connection Templates Management
- Access Management
- Authentication methods
- Database authentication methods
- Network configuration settings
  - SSH configuration
  - SSL configuration
- User credentials storage
- Cloud databases configuration
- Query Manager
- Drivers Management
Accessibility
Keyboard shortcuts
Features
Supported databases
- File drivers
  - Multi Source
  - CSV
  - JSON
  - Parquet
  - XLSX
  - XML

Provide feedback

Saved searches

Use saved searches to filter your results more quickly