Credentials
The agent connects to your database as three separate users. Each user's credentials are referenced — never stored — in the config file.
Overview
Three users, least-privilege model
The agent uses three separate database users, each scoped to the minimum privileges needed for its job. Credentials are resolved at runtime via a secret manager reference — the config file never contains raw credentials.
readerRead-only privileges (SELECT, DESCRIBE, SHOW)
Used by: Discovery, Profile, Certifier
pipelineDML privileges (INSERT, UPDATE, DELETE, MERGE)
Used by: Operate
ddl_adminDDL privileges (CREATE, ALTER, DROP)
Used by: DDL Deploy (dev/lab only)
Recommended
Secret manager integration
Recommended for all environments. The agent fetches credentials at startup from your secret manager and caches them in memory for the duration of the session. No sensitive values appear on disk.
Supported secret managers
- •AWS Secrets Manager
- •HashiCorp Vault
- •Azure Key Vault
Configure your credential references in the agent configuration file. The agent resolves them at runtime — see the setup instructions provided during onboarding for your specific secret manager.
Alternative
File-based credentials (non-production)
Low-friction onboarding path for developers who don't yet have secret manager access. Reads a local JSON credential file from the host. The file must contain the same fields as a secret manager entry.
Hard-blocked in production. If any file-based credential reference is present in a production configuration, the agent refuses to start. Use a secret manager for all production environments.
Never commit credential files to version control. Restrict file permissions and ensure credential files are excluded from your repository.
Reference
Environment restrictions
| Credential source | dev | lab | int | prd |
|---|---|---|---|---|
| Secret manager | ✓ | ✓ | ✓ | ✓ |
| Local file | ✓ | ✓ | ✓ | blocked |
Reference
Credential format
Both secret manager entries and file-based credentials use the same JSON structure. All fields are required.
| Field | Description |
|---|---|
| account | Database account identifier. |
| user | Database username. |
| role | Database role to activate on login. |
| warehouse | Warehouse to use for queries. |
| private_key_pem | RSA private key in PEM format for keypair authentication. |
Follow the setup instructions in your BoltPipeline Console for the specific credential format and configuration steps for your database vendor.
Need help?
Email us at support@boltpipeline.ai