Storing secrets in Vault

You can store your secrets in a local Vault instance managed by Cloudera Migration Assistant. If the Vault is configured, no credentials are stored in the database, and the files created during the migration process contain only Vault paths. Additionally, credentials stored in the Vault are also masked on the UI in this case.

Local or Docker Deployment

Starting CMA with Vault for the first time

Starting Cloudera Migration Assistant with the --vault option will start and configure a local Vault server, and configure the Cloudera Migration Assistant Server to connect to it. Once the connection is set up, the Cloudera Migration Assistant will store the credentials on the Vault Server.

When Cloudera Migration Assistant Server is not running, start Cloudera Migration Assistant with the following command:
```
cma-[***VERSION NUMBER***]/bin/cma start --vault
```
When Cloudera Migration Assistant Server is already running, use the following command to restart Cloudera Migration Assistant with Vault:
```
cma-[***VERSION NUMBER***]/bin/cma restart --vault
```

To restart the Vault server, you can use the following command:

cma-[***VERSION NUMBER***]/bin/cma vault restart

After the initial configuration is complete, Cloudera Migration Assistant Server expects the Vault Server to be running. If you want to stop the Vault, it is recommend that you stop CMA as well using the following commands:

cma-[***VERSION NUMBER***]/bin/cma vault stop
cma-[***VERSION NUMBER***]/bin/cma stop

Parcel Deployment

When you deploy Cloudera Migration Assistant in parcel mode, the Vault Server role is installed on the Cloudera Migration Assistant Server node, and configured by default.