Data Processing and Analytics Connection Profiles

Defines the Amazon Athena API authentication endpoint.

Determines the region where the Amazon Athena jobs are located.

Determines one of the following authentication methods:

• AWS Key: Used for services outside the AWS infrastructure.

• AWS IAM Role: Used for services within the AWS infrastructure.

Defines the access key assigned to the account with the relevant permissions to the AWS service.

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the AWS Data Pipeline API authentication endpoint.

For more information about regional endpoints available for the AWS Data Pipeline service, refer to the AWS documentation.

Determines the region where the AWS Data Pipeline jobs are located.

Determines one of the following authentication methods:

• AWS Key & Secret: Authenticates with an AWS access key and secret, which are used by services outside the AWS infrastructure.

• AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

Defines the access key assigned to the account with the relevant permissions to the AWS service.

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Determines the Amazon DynamoDB authentication endpoint base URL that includes the region that is defined for the AWS account.

Determines the region where the Amazon DynamoDB jobs are located.

Determines one of the following authentication methods:

• AWS Key & Secret: Authenticates with an AWS access key and secret, which are used by services outside the AWS infrastructure.

• AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

Defines the access key assigned to the account with the relevant permissions to the AWS service.

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Determines the region where the Amazon EMR jobs are located.

Defines the token for the connection to AWS.

Defines an additional security token for AWS.

Defines the Amazon Redshift authentication endpoint.

Determines the region where the Amazon Redshift jobs are located.

Determines one of the following authentication methods:

• AWS Key & Secret: Authenticates with an AWS access key and secret, which are used by services outside the AWS infrastructure.

• AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

Defines the access key assigned to the account with the relevant permissions to the AWS service.

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Determines one of the following authentication methods:

• Service Principal: Access protected Azure services and resources based on roles assigned to the Service Principal by the Azure administrator. The Service Principal is also known as an App Registration. Use this method if the Control-M/Agent is installed on-premises or with another (non-Azure) cloud vendor.

• Managed Identity: Access protected Azure services and resources using a key created and managed by the Azure platform, without login credentials. Use this method if the Control-M/Agent is installed on an Azure virtual machine that has a Managed Identity with the required permissions.

Determines whether the Managed Identity is specified by the Managed Identity Client ID parameter.

Toggle on this option when you use the Managed Identity authentication method and your Azure virtual machine has multiple Managed Identities.

Defines the client ID of the Managed Identity that is used for access. If only one Managed Identity is defined on your Azure virtual machine, it is detected automatically, and you can leave this parameter empty.

Defines the Azure tenant ID for your organization.

Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Defines the password associated with the Service Principal/registered application.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint.

Default:https://login.microsoftonline.com

Defines the URL of your Databricks workspace.

Defines the resource parameter for the Azure Databricks login application:

Default: 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d

Do not change the default value unless you are required to by your Azure Administrator.

Defines the name of the HDInsight cluster.

Defines the name of the Administrator to use to connect to Azure HDInsight.

Defines the Administrator password, which is configured in Azure HDInsight.

Determines one of the following authentication methods:Service Principal: Access protected Azure services and resources based on roles assigned to the Service Principal by the Azure administrator. The Service Principal is also known as an App Registration. Use this method if the Control-M/Agent is installed on-premises or with another (non-Azure) cloud vendor.Managed Identity: Access protected Azure services and resources using a key created and managed by the Azure platform, without login credentials. Use this method if the Control-M/Agent is installed on an Azure virtual machine that has a Managed Identity with the required permissions.

To prepare for authentication using each of these methods:

• Grant your Managed Identity or Service Principal access to your Synapse workspace through the Synapse Studio (Manage > Access Control).

• Assign a Contributor role to the Synapse workspace accessed by the Managed Identity or service principal.

Determines whether the Managed Identity is specified by the Managed Identity Client ID parameter.

Toggle on this option when you use the Managed Identity authentication method and your Azure virtual machine has multiple Managed Identities.

Defines the client ID of the Managed Identity that is used for access. If only one Managed Identity is defined on your Azure virtual machine, it is detected automatically, and you can leave this parameter empty.

Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint.

Default:https://login.microsoftonline.com

Defines the Azure tenant ID for your organization.

Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Defines the password associated with the Service Principal/registered application.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the workspace development endpoint.

Defines the resource parameter that serves as the identifier for Azure Synapse login via Azure AD:

Defines the URL of your Databricks workspace.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the dbt API authentication endpoint.

Default: https://cloud.getdbt.com

Defines the authentication code that is used to create a connection to the dbt platform.

This is located in the API Access section in the dbt Cloud platform.

Defines the unique ID that is assigned to your dbt Cloud account.

This is located in the Account Info section in the dbt Cloud platform.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Determines one of the following authentication types using GCP Access Control:

• Service Account: Authenticates using an application ID (service account) and client secret.

• IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Determines one of the following authentication types using GCP Access Control:

• Service Account: Authenticates using an application ID (service account) and client secret.

• IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Defines the Google Cloud Platform (GCP) authentication endpoint for BigQuery.

(Service Account) Defines a service account that is associated with an RSA key pair.

Determines one of the following authentication types using GCP Access Control:

• Service Account: Authenticates using an application ID (service account) and client secret.

• IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Defines the Google Cloud Platform (GCP) authentication endpoint for Dataflow.

(Service Account) Defines a JSON body that contains the required service account credentials to access GCP, as shown in the following example:

{
   "type": "service_account",
   "project_id": "project-id",
   "private_key_id": "key-id",
   "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
   "client_email": "service-account-email",
   "client_id": "client-id",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
   "token_uri": "https://accounts.google.com/o/oauth2/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

Determines one of the following authentication types using GCP Access Control:

• Service Account: Authenticates using an application ID (service account) and client secret.

• IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Defines the Google Cloud Platform (GCP) authentication endpoint for Dataproc.

(Service Account) Defines a JSON body that contains the required service account credentials to access GCP, as shown in the following example:

{
   "type": "service_account",
   "project_id": "project-id",
   "private_key_id": "key-id",
   "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
   "client_email": "service-account-email",
   "client_id": "client-id",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
   "token_uri": "https://accounts.google.com/o/oauth2/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the OCI Data Flow URL in the following format:

https://dataflow.<region>.oci.oraclecloud.com/20200129

Determines the region where OCI Data Flow is located.

Determines one of the following authentication methods:

• Defined Parameters:Uses the authentication parameters defined in the connection profile.

• Configuration File: Uses a configuration file that contains authentication information and is stored on the Control-M/Agent.

  The following example of a configuration file defines the DEFAULT profile for Linux and the PROFILE2 profile for Windows.

  Copy

  [DEFAULT] 
  user=ocid1.user.oc1..aaaaaaaa4vcihdfhrdtyry457245636cqqcljd6yrcukszg7gzoymoyvkyupivpjfnq
  tenancy=ocid1.tenancy.oc1..aaa456y4e3yrtyue9f8djfihhwp2cu4e6t2b7lttna7rcgnhrdi4qzika
  fingerprint=9f:af:df:f5:5g:95:92:7c:34:ab:46:d3:b4:30:e6:9e
  region=us-phoenix-1
  key_file=/home/dbauser/key.pem 
  
  [PROFILE2] 
  user=ocid1.user.oc1..aaaaaaaa4v768679dfhrd8989JHGJG36cqqcljd6yrcukszg7gzoymoyvkyupivpjfnq
  tenancy=ocid1.tenancy.oc1..aaa456y4e3yrtyue987erum,gfwp2cu4e6t2b7lttna7rcgnhrdi4qzika
  fingerprint=9f:af:c0:f5:7b:95:92:7c:03:a5:46:g3:b4:38:e6:9e
  region=us-phoenix-1
  key_file=C:\\Users\\dbauser\\key.pem

Defines an individual user within the OCI environment.

Defines the OCI Tenancy ID in an OCI Data Flow, which is a global unique identifier for this account within the OCI environment.

Defines a fingerprint which uniquely identifies and verifies the integrity of the associated certificate or key.

Defines the Private key within a set of API signing keys that are used for authentication and secure access to OCI resources.

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Defines the path to the configuration file that contains authentication information.

This file is stored on the Control-M/Agent.

Defines the name of a specific section in the configuration file, such as DEFAULT and PROFILE2 in the Configuration File code sample.

Defines the Snowflake account identifier.

To obtain this string, execute the Describe Security Integration command in Snowflake and copy the initial string from one of the authorization properties.

For more information about obtaining values for the parameters required by the connection profile, see Setting Up a Snowflake API Connection.

Determines the region where the Snowflake jobs are located.

Defines the client ID assigned to the account in the Snowflake integration setup.

Defines the client secret assigned to the account in the Snowflake integration setup.

Defines the value for the refresh token.

Rule: This string must be URL-encoded.

Defines the redirect URI assigned to the account in the Snowflake integration setup.

Rule: This string must be URL-encoded.

Determines the Snowflake IdP account identifier.

To obtain this string, run the Describe Security Integration command in Snowflake and copy the initial string from one of the authorization properties.

For information about the values for the parameters required by the connection profile, see the IdP-specific External OAuth configuration instructions in the Snowflake documentation.

Determines the region where the Snowflake jobs are located.

Defines the client ID assigned to the account in the Snowflake integration setup.

Defines the client secret assigned to the account in the Snowflake integration setup.

Defines the authentication endpoint for Snowflake IdP.

Defines the scope, which limits the operations you can do and the roles you can use in the Snowflake IdP plug-in.

Define the scope as follows:

session:role:<custom_role>