Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Self-Managed Secrets for Data Store Credentials

    Table of Contents

    Overview Configure Secrets YAML File Using Your Secret to Connect Data Stores Maintaining YAML Files

    Overview

    Any Data Store that supports Username and Password-based authentication can alternatively be authenticated using Self-Managed Secrets. This method offers an additional layer of security, as Service Account credentials are not stored within the Netskope One DSPM app, and will be updated automatically according to the information stored within your defined secrets on your organization's AMI or container.

    This article will outline the setup and usage of Vault to inject your self-managed secrets for Data Store authentication.  

    Note: The Create Netskope One DSPM Service Account and Retrieve Connection Information steps must be completed for each data store connection before proceeding with authentication.

     

    Configure Secrets YAML File

    1. Configure the Vault injector annotation to publish the Data Store's Service Account credentials to a YAML file.
    2. The published YAML file must be formatted as follows:
    data-store-1:
username: Netskope One DSPM
 password: <password>
 
data-store-2:
 username: Netskope One DSPM
 password: <password>
 
data-store-3:
 username: Netskope One DSPM
 password: <password>

    Using Your Secret to Connect Data Stores

    1. On the Provide Credentials modal, select Self-Managed Secrets Manager in the Authentication Method drop-down
    2. Your Data Store Identifier value must match the credential name defined in the YAML file, shown as data-store-1, data-store-2, etc in Step 2 above. See example of matching fields below.

    1. This will require coordination within your organization to ensure proper YAML format publishing to your secrets manager.
    2. Continue to finish connecting the Data Store.

    Maintaining YAML Files

    Update your YAML file(s) as credential sets are added, changed, or removed within your Vault instance. Netskope One DSPM will automatically read and incorporate these changes within your Data Store connections. If the connection fails due to a credential change, you will see this within System Activity.

    YAML files should be created (or replicated) and published to each region containing Data Stores to be scanned. If you are using sidecars for Data Store scanning, a replicated YAML file containing your secret must be published to each sidecar within your container.

     

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support