Using DEW to Manage Access Credentials for Data Sources

When using DLI to submit jobs that involve reading and writing data from external sources, it is crucial to securely access these sources by properly storing their access credentials. This ensures the authentication of the data source and enables secure access by DLI. DEW is a comprehensive cloud-based encryption service that addresses data security, key security, and complex key management issues. This section describes how to use DEW to store authentication information for a data source.

For details, see Data Encryption Workshop (DEW).

Creating a Shared Secret in DEW

This example describes how to configure a credential for accessing RDS DB instances in a DLI job and store the credential in DEW.

Log in to the DEW management console.
In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
Click Create Secret. On the displayed page, configure basic secret information.
- Secret Name: Enter a secret name. In this example, the name is secretInfo.
- Secret Value: Enter the username and password for logging in to the RDS for MySQL DB instance.
  - The key in the first line is MySQLUsername, and the value is the username for logging in to the DB instance.
  - The key in the second line is MySQLPassword, and the value is the password for logging in to the DB instance.
  Figure 1 Secret Value
Set other parameters as required and click OK.

Using the Secret Created in DEW in a DLI Job

This part uses a Flink job as an example to describe how to use credentials created in DEW.

WITH (  
 'connector' = 'jdbc',  
  'url? = 'jdbc:mysql://MySQLAddress:MySQLPort/flink',--flink is the MySQL database where the orders table locates.
 'table-name' = 'orders',  
 'username' = 'MySQLUsername',  -- Shared secret in DEW whose name is secretInfo and version is v1. The key MySQLUsername defines the secret value. The value is the user's sensitive information.
 'password' = 'MySQLPassword',  -- Shared secret in DEW whose name is secretInfo and version is v1. The key MySQLPassword defines the secret value. The value is the user's sensitive information.
 'sink.buffer-flush.max-rows' = '1',
 'dew.endpoint'='kms.xxxx.com', --Endpoint information for the DEW service being used
 'dew.csms.secretName'='secretInfo', --Name of the DEW shared secret
 'dew.csms.decrypt.fields'='username,password', --The password field value must be decrypted and replaced using DEW secret management.
 'dew.csms.version'='v1'
);

Related Operations

For how to use a DLI agency to obtain access credentials, see Table 1.

**Table 1** Guidelines for configuring DLI agency permissions in specific scenarios
Type	Instruction	Description
Flink job	Flink OpenSource SQL Jobs Using DEW to Manage Access Credentials	Guideline for using DEW to manage and access credentials for Flink OpenSource SQL jobs. When writing the output data of Flink jobs to MySQL or GaussDB(DWS), set attributes such as the username and password in the connector.
	Flink Jar Jobs Using DEW to Acquire Access Credentials for Reading and Writing Data from and to OBS	Guideline for Flink Jar jobs to acquire an AK/SK to read and write data from and to OBS.
	Obtaining Temporary Credentials for Flink Job Agencies	DLI provides a common interface to obtain temporary credentials for Flink job agencies set by users during job launch. The interface encapsulates the obtained temporary credentials for the job agency in the com.huaweicloud.sdk.core.auth.BasicCredentials class. Guideline for obtaining a temporary credential for a Flink job agency.
Spark job	Spark Jar Jobs Using DEW to Acquire Access Credentials for Reading and Writing Data from and to OBS	Guideline for Spark Jar jobs to acquire an AK/SK to read and write data from and to OBS.
Spark job	Obtaining Temporary Credentials for Spark Job Agencies	Guideline for obtaining a temporary credential for a Spark Jar job agency.