Data Processing and Analytics Connection Profiles

Defines the Amazon Athena API authentication endpoint.

Determines the AWS region where the job is located.

Determines one of the following authentication methods:

• AWS Key: Used for services outside the AWS infrastructure.

• AWS IAM Role: Used for services within the AWS infrastructure.

Defines the access key assigned to the account with the relevant permissions to the AWS service.

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

Defines the Identity and Access Management (IAM) role name of the AWS service connection in the following format:<role-name> The IAM role must be attached to the EC2 agent that runs the job.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the AWS Data Pipeline API authentication endpoint.

For more information about regional endpoints available for the AWS Data Pipeline service, refer to the AWS documentation.

Determines the AWS region where the job is located.

Determines one of the following authentication methods:

• AWS Key & Secret: Authenticates with an AWS access key and secret, which are used by services outside the AWS infrastructure.

• AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

Defines the access key assigned to the account with the relevant permissions to the AWS service.

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

Defines the Identity and Access Management (IAM) role name of the AWS service connection in the following format:<role-name> The IAM role must be attached to the EC2 agent that runs the job.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Determines the Amazon DynamoDB authentication endpoint base URL that includes the region that is defined for the AWS account.

Determines the AWS region where the job is located.

Determines one of the following authentication methods:

• AWS Key & Secret: Authenticates with an AWS access key and secret, which are used by services outside the AWS infrastructure.

• AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

Defines the access key assigned to the account with the relevant permissions to the AWS service.

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

Defines the Identity and Access Management (IAM) role name of the AWS service connection in the following format:<role-name> The IAM role must be attached to the EC2 agent that runs the job.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Determines the AWS region where the job is located.

Defines the token for the connection to AWS.

Defines an additional security token for AWS.

Defines the Amazon Redshift authentication endpoint.

Determines the AWS region where the job is located.

Determines one of the following authentication methods:

• AWS Key & Secret: Authenticates with an AWS access key and secret, which are used by services outside the AWS infrastructure.

• AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

Defines the access key assigned to the account with the relevant permissions to the AWS service.

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

Defines the Identity and Access Management (IAM) role name of the AWS service connection in the following format:<role-name> The IAM role must be attached to the EC2 agent that runs the job.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Determines one of the following authentication methods:

• Service Principal: Access protected Azure services and resources based on roles assigned to the Service Principal by the Azure administrator. The Service Principal is also known as an App Registration. Use this method if Control-M/Agent is installed on-premises or on another (non-Azure) cloud vendor.

• Managed Identity: Access protected Azure services and resources using a key created and managed by the Azure platform, without login credentials. Use this method if Control-M/Agent is installed on an Azure virtual machine that has a Managed Identity with the required permissions.

Determines whether the managed identity is specified by the Managed Identity Client ID attribute.

Toggle on this option when you use the Managed Identity authentication method and there are multiple managed identities defined on your Azure VM.

Defines the client ID of the managed identity used for access.

This attribute requires a value only if there are multiple managed identities defined on your Azure VM and you toggle on Specify Managed Identity Client ID.

Defines the Azure tenant ID for your organization.

Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Defines the password associated with the Service Principal/registered application.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint.

Defines the URL of your Databricks workspace.

Defines the resource parameter for the Azure Databricks login application:

Default: 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d

Do not change the default value unless you are required to by your Azure Administrator.

Defines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 50 seconds

Defines the HTTP codes that trigger a rerun of a job step if detected in the response.

Multiple HTTP codes must be separated with a space.

You cannot rerun a step with HTTP codes when you perform manual execution, such as rerun from point of failure.

Default: 429 503

Defines the number of seconds to wait before Control-M reruns the job step.

Default: 10

Defines the name of the HDInsight cluster to connect.

Defines the name of the Administrator to use to connect to Azure HDInsight.

Defines the Administrator password, which is configured in Azure HDInsight.

Determines one of the following authentication methods:

• Service Principal: Access protected Azure services and resources based on roles assigned to the Service Principal by the Azure administrator. The Service Principal is also known as an App Registration. Use this method if Control-M/Agent is installed on-premises or on another (non-Azure) cloud vendor.

• Managed Identity: Access protected Azure services and resources using a key created and managed by the Azure platform, without login credentials. Use this method if Control-M/Agent is installed on an Azure virtual machine that has a Managed Identity with the required permissions.

To prepare for authentication using each of these methods:

• Grant your Managed Identity or Service Principal access to your Synapse workspace through the Synapse Studio (Manage > Access Control).

• Assign a Contributor role to the Synapse workspace accessed by the Managed Identity or service principal.

Determines whether the managed identity is specified by the Managed Identity Client ID attribute.

Toggle on this option when you use the Managed Identity authentication method and there are multiple managed identities defined on your Azure VM.

Defines the client ID of the managed identity used for access.

This attribute requires a value only if there are multiple managed identities defined on your Azure VM and you toggle on Specify Managed Identity Client ID.

Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint.

Defines the Azure tenant ID for your organization.

Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Defines the password associated with the Service Principal/registered application.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the workspace development endpoint.

Defines the resource parameter that serves as the identifier for Azure Synapse login via Azure AD:

Determines the data source type that the Data Assurance plug-in connects to, as follows:

• Postgres

• Snowflake

• MSSQL

• Oracle

• (CSV) File

Defines the database hostname.

Determines the database port number, which enables the Data Assurance plug-in to communicate with the database host.

Defines the database name.

Defines the Oracle service name and schema type.

Determines the database schema type, which describes the database layout, its table and field definitions, and their relationships to each other.

Defines the data source username.

Defines the data source password.

Defines the local file directory where one or more CSV files are stored.

Determines the CSV filename pattern and extension.

Default: *.csv

Determines whether to open files, based on when they were created or modified, as follows:

• None: Opens the file regardless of when it was created or modified.

• Created: Opens the file if it was created in the past number of hours that are defined in the Max Age in Hours parameter.

• Modified: Opens the file if it was modified in the past number of hours that are defined in the Max Age in Hours parameter.

Determines the number of hours that a file was last created or modified, based on the Filter Method parameter.

Valid Values:

• 0: No time limit.

• 1–8,760: The maximum number of hours since the file was created or modified.

Determines one of the following characters, which marks the beginning or end of a unit of data:

• Comma (,)

• Semicolon (;)

• Pipe (|)

• Tab

• Space (whitespace)

Default: Comma (,)

Determines whether the file contains headers, which define the type of data in each row.

Defines the URL of your Databricks workspace.

(PAT) Defines a Databricks token for authentication of connections to the Databricks workspace.

Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant.

The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Defines the password associated with the Service Principal/registered application.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 50 seconds

Defines the HTTP codes that trigger a rerun of a job step if detected in the response.

Multiple HTTP codes must be separated with a space.

You cannot rerun a step with HTTP codes when you perform manual execution, such as rerun from point of failure.

Default: 429

Defines the number of seconds to wait before Control-M reruns the job step.

Default: 10

Defines the dbt API authentication endpoint.

Default: https://cloud.getdbt.com

Defines the authentication code that is used to create a connection to the dbt platform.

This code is located in the API Access section in the dbt Cloud platform.

Defines the unique ID that is assigned to your dbt cloud account.

This ID is located in the Account Info section in the dbt cloud platform.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Determines one of the following authentication types that utilize GCP Access Control:

• Service Account: Authenticates with an application ID (service account) and client secret.

• IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Defines the Google Cloud Platform (GCP) authentication endpoint for BigQuery.

(Service Account) Defines a service account that is associated with an RSA key pair.

Determines one of the following authentication types that utilize GCP Access Control:

• Service Account: Authenticates with an application ID (service account) and client secret.

• IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Defines the Google Cloud Platform (GCP) authentication endpoint for Dataflow.

(Service Account) Defines a JSON body that contains the required service account credentials to access GCP, as shown in the following example:

{
   "type": "service_account",
   "project_id": "project-id",
   "private_key_id": "key-id",
   "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
   "client_email": "service-account-email",
   "client_id": "client-id",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
   "token_uri": "https://accounts.google.com/o/oauth2/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

Determines one of the following authentication types that utilize GCP Access Control:

• Service Account: Authenticates with an application ID (service account) and client secret.

• IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Defines the Google Cloud Platform (GCP) authentication endpoint for Dataproc.

(Service Account) Defines a JSON body that contains the required service account credentials to access GCP, as shown in the following example:

{
   "type": "service_account",
   "project_id": "project-id",
   "private_key_id": "key-id",
   "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
   "client_email": "service-account-email",
   "client_id": "client-id",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
   "token_uri": "https://accounts.google.com/o/oauth2/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the OCI Data Flow URL in the following format:

https://dataflow.<region>.oci.oraclecloud.com/20200129

Determines the region where OCI Data Flow is located.

Determines one of the following authentication methods:

• Defined Parameters: Defines authentication parameters in the connection profile.

• Configuration File: Uses a configuration file that contains authentication credentials and is stored on the Agent.

The following configuration file example defines two profiles: DEFAULT for Linux and PROFILE2 for Windows:

[DEFAULT] 
user=ocid1.user.oc1..aaaaaaaa4vcihdfhrdtyry457245636cqqcljd6yrcukszg7gzoymoyvkyupivpjfnq
tenancy=ocid1.tenancy.oc1..aaa456y4e3yrtyue9f8djfihhwp2cu4e6t2b7lttna7rcgnhrdi4qzika
fingerprint=9f:af:df:f5:5g:95:92:7c:34:ab:46:d3:b4:30:e6:9e
region=us-phoenix-1
key_file=/home/dbauser/key.pem 

[PROFILE2] 
user=ocid1.user.oc1..aaaaaaaa4v768679dfhrd8989JHGJG36cqqcljd6yrcukszg7gzoymoyvkyupivpjfnq
tenancy=ocid1.tenancy.oc1..aaa456y4e3yrtyue987erum,gfwp2cu4e6t2b7lttna7rcgnhrdi4qzika
fingerprint=9f:af:c0:f5:7b:95:92:7c:03:a5:46:g3:b4:38:e6:9e
region=us-phoenix-1
key_file=C:\\Users\\dbauser\\key.pem

Defines an individual user within the OCI environment.

Defines the OCI Tenancy ID in an OCI Data Flow, which is a global unique identifier for this account within the OCI environment.

Defines a fingerprint which uniquely identifies and verifies the integrity of the associated certificate or key.

Defines the private key within a set of API signing keys that are used for authentication and secure access to OCI resources.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the Agent-based pathname to the configuration file that contains authentication credentials.

Defines the name of a specific section in the configuration file, such as DEFAULT and PROFILE2 in the Configuration File code sample.

Defines the hostname URL, as follows:

https://{{AccountID}}.{{Region}}.snowflakecomputing.com

Defines the Snowflake account identifier.

To obtain this string, run the Describe Security Integration command in Snowflake and copy the initial string from one of the authorization properties.

For more information about obtaining values for the parameters required by the connection profile, see Knowledge Article KA000437810.

Determines the region where the Snowflake jobs are located.

Determines one of the following authentication methods:

• Programmatic Access Token: Authenticates with the Programmatic Access Token.

• Snowflake OAuth: Authenticates with a Client ID, Client Secret, Refresh Token, and Redirect URL.

Defines the client ID assigned to the account in the Snowflake integration setup.

Defines the client secret assigned to the account in the Snowflake integration setup.

Defines the value for the refresh token.

Rule: This string must be URL-encoded.

Defines the redirect URL assigned to the account in the Snowflake integration setup.

Rule: This string must be URL-encoded.

Defines the access token for Snowflake authentication.

Defines the Snowflake IdP account identifier.

To obtain this string, run the Describe Security Integration command in Snowflake and copy the initial string from one of the authorization properties.

For information about the values for the parameters required by the connection profile, see the IdP-specific External OAuth configuration instructions in the Snowflake documentation.

Determines the region where the Snowflake jobs are located.

Defines the client ID assigned to the account in the Snowflake integration setup.

Defines the client secret assigned to the account in the Snowflake integration setup.

Defines the authentication endpoint for Snowflake IdP.

Defines the scope, which limits the operations you can do and the roles you can use in the Snowflake IdP plug-in, as follows:

session:role:<custom_role>