Credential Management: Secure Key-Value Storage & Cloud Secret References

Syntasa introduces Credentials as a first-class object, providing a centralized and secure way to manage sensitive information such as API keys, tokens, and passwords. This feature decouples secrets from specific connections or hardcoded scripts, allowing them to be managed through the UI and consumed programmatically across the platform.

Overview

The Credential Store supports two primary methods for managing secrets:

  1. Inline Credentials: Key-value pairs entered directly in the Syntasa UI. These are encrypted and stored in the application’s PostgreSQL database.
  2. Cloud Secret References: References to existing secrets stored in cloud provider managers (AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault). Syntasa stores only the reference; values are fetched on-demand at runtime.

Core Features

Provider-Aware Source Selection

The system automatically detects the infrastructure provider (AWS, GCP, Azure, or On-Prem) and filters the available credential source types accordingly:

  • AWS: Inline + AWS Secrets Manager
  • GCP: Inline + GCP Secret Manager
  • Azure: Inline + Azure Key Vault
  • On-Prem: Inline only

Validation and Key Discovery

For cloud-referenced credentials, Syntasa requires validation before saving. The Validate button triggers a backend process that:

  • Confirms the Syntasa platform has the necessary IAM permissions to access the secret.
  • Auto-discovers the key names within the secret (if stored as JSON).
  • Displays discovered keys as tags (chips) in the UI for easy reference.

Sharing and Security Model

Credentials utilize Syntasa’s standard ISharable pattern:

  • Private: Accessible only to the owner.
  • Public: Accessible to all users in the environment.
  • Shared with Groups: Accessible to specific User Groups.
  • Ownership: Only the owner can edit or delete a credential object.

User Interface Guide

The Credentials List

Located under Resources > Credentials, the list page provides a high-level view of all accessible credentials, including:

  • Name: The unique identifier used in notebooks and processes.
  • Source: The type (Inline, AWS, GCP, or Azure).
  • Keys: A comma-separated list of keys contained within the credential.
  • Sharing Status: Indicates if the object is Private, Public, or Shared.

Configuring a Credential

When creating or editing a credential, the form is divided into three sections:

Basic Info: Name (required, unique per owner) and Description.

Source Configuration:

  • Inline: A dynamic table where users enter Key and Value pairs. Values are masked by default with a show/hide toggle.
  • Cloud Reference: Fields for Project ID, Secret Name, Region, or Vault URL (depending on the provider).

Sharing: Standard resource sharing component to define access levels.

Notebook Integration (syn_utils SDK)

The syn_utils library provides the CredentialStore class for programmatic access within Jupyter notebooks. To prevent accidental exposure, the SDK uses SecretString and SecretDict helpers that mask values in notebook output cells.

Common SDK Operations

from syn_utils import CredentialStore

# Initialize the store
store = CredentialStore()

# List all accessible credentials (metadata only)
creds = store.list()

# Get a single secret value (returns a SecretString)
api_key = store.get("my_api_credential", "api_key")

# Printing the object shows masked output
print(api_key)  # Output: **********

# Use .get() to retrieve the actual value for an API call
# response = requests.get(url, headers={"Authorization": f"Bearer {api_key.get()}"})
# Get all keys for a credential (returns a SecretDict)
all_secrets = store.get_all("my_api_credential")

Security and IAM Requirements

For Cloud Secret References to function, the Syntasa platform’s service account or IAM role must have the following permissions in the target cloud project:

AWS Secrets Manager

  • secretsmanager:GetSecretValue
  • secretsmanager:DescribeSecret
  • kms:Decrypt (if the secret is encrypted with a custom KMS key)

GCP Secret Manager

  • roles/secretmanager.secretAccessor

Azure Key Vault

  • Key Vault Secrets User role on the referenced vault.

Migration from Legacy Vault

For environments upgrading from versions prior to 9.1.0, Syntasa provides a migration script (migrate_credentials.py). This script:

  1. Enumerates all credentials from the legacy Vault-backed service.
  2. Recreates them as Inline credentials in the new system.
  3. Maps original owners and sharing settings to the new model.
  4. Handles naming conflicts by appending suffixes where necessary.

Once migration is verified, the legacy syntasa-credentials-service and syntasa-vault-service can be decommissioned to reduce cluster resource usage.