Configure multiple Credential Providers

While you may only ever need to add a single Credential Provider to an Access Policy, there are use cases where you may need to add multiple Credential Providers to a single Access Policy. To ensure you can perform this task, Aembit has enabled multiple Credential Provider addition and Access Policy mapping functionality.

Note

This functionality is currently limited to use with JSON Web Token (JWT) Credential Providers and Snowflake or HTTP Server Workloads.

Adding Multiple Credential Providers to an Access Policy

To add multiple Credential Providers to an Access Policy, follow the steps described below.

1. Log into your Aembit tenant.

2. Once you are logged into your tenant, click on the Access Policy link in the left navigation pane. You should see the Access Policy Page displayed.

   

3. Before adding a Credential Provider to an Access Policy, you need to perform the following tasks:

   • Add an Access Policy
   • Add a Client Workload
   • Add a Server Workload

   :::note If the Server Workload Application Protocol is NOT Snowflake or HTTP, then you are unable to add multiple Credential Providers to an Access Policy. :::

4. Once you have added your Access Policy, Client Workload, and Server Workload, you should now add Credential Providers to the Access Policy by dragging your mouse over the Credential Provider + button and selecting either New or Existing.

   

   You have 2 options:

   • Existing - This selection enables you to choose one of your existing Credential Providers.
   • New - This selection enables you to create a new Credential Provider.

   Once you make your selection, the Credential Providers dialog window appears.

5. If you selected Use Existing, select the Credential Provider you would like to use for the Access Policy from the list displayed.

6. If you selected New, proceed to add your new Credential Provider by completing the fields as prompted in the dialog window.

   You should see the following fields displayed:

   • Name - Credential Provider name
   • Description - Text description
   • Credential Type - Select JSON Web Token

   

   When JSON Web Token is selected, the following additional fields appear, enabling you to enter your Snowflake credentials:

   • Token Configuration
   • Snowflake Account ID
   • Username
   • Snowflake Alter User Command

   For more information on how to retrieve this information for your Credential Provider, please see the JSON Web Token page.

7. When finished, click Save to save your Credential Provider.

8. When you return to the Access Policy page, you see the first Credential Provider listed in the Credential Providers column.

   

9. Now that you have your first Credential Provider added to the Access Policy, repeat steps 4 - 7 to add additional Credential Providers by navigating to the Credential Provider column and dragging your mouse over the + button.

   Note

   When you add additional Credential Providers to an Access Policy, a dialog window appears stating that when you perform this action, you must also map the Credential Provider to the Access Policy.

   

   Click Continue to add additional Credential Providers to the Access Policy.

Mapping JWT Credential Providers to a Snowflake Server Workload Access Policy

After adding at least (2) JWT Credential Providers to an Access Policy, you must then map these Credential Providers to your Access Policy. To map JWT Credential Providers to an Access Policy, follow the steps described below.

1. On the Access Policy page, in the Credential Providers column, you should see a box with the total number of Credential Providers that have been added.

   

   Note

   Notice how the box specifies the Total number of Credential Providers for the Access Policy (2) and a red line notation with “unmapped.” This means the Credential Providers for the Access Policy are currently “unmapped” and need to be mapped before the Access Policy can be saved.

2. Click on the arrow button to open the Credential Provider Mappings dialog window. In the Credential Provider Mappings dialog window, you see the Credential Providers currently added to the Access Policy with information about each Credential Provider.

   

3. Notice that there is a red ”!” icon. This denotes that the Credential Provider currently has no mappings. Hover over the Credential Provider and you see a down arrow appear. Click on the down arrow to open the Credential Provider mapping menu.

   

4. In this menu, add any Snowflake Usernames you would like added to the Credential Providers. This means that if the username is included in the connection request from the Client Workload, this Credential Provider will be used for credential injection. Repeat this process as many times as needed for all of your policy-associated Credential Providers.

5. Click Save when you are finished adding your mapping values.

   Note

   When you add Snowflake usernames to a Credential Provider and click Save, the red ”!” icon turns to a green checkbox. You also see theses usernames displayed in the Values column.

6. When you return to the Access Policies page, notice that you now see a green “All Mapped” notation in the box for the Credential Providers you just mapped.

   

7. Click Save to save your selections. If you would like to save, and then also activate the credential mapping, click Save & Activate.

   Now, when you return to the Access Policy page, if you hover over the Access Policy, you see the Credential Providers that are mapped to that Access Policy.

Mapping JWT Credential Providers to a HTTP Server Workload Access Policy

After adding at least (2) JWT Credential Providers to an Access Policy, you may then map these Credential Providers to your Access Policy. To map Credential Providers to an Access Policy, follow the steps described below.

1. On the Access Policy page, in the Credential Providers column, you should see a box with the total number of Credential Providers that have been added.

   

2. Click on the arrow button to open the Credential Provider Mappings dialog window. In the Credential Provider Mappings dialog window, you see the Credential Providers currently added to the Access Policy with information about each Credential Provider.

   

3. Notice that there is a red ”!” icon. This denotes that the Credential Providers currently have no mappings. Hover over the Credential Provider and you see a down arrow appear. Click on the down arrow to open the Credential Provider menu.

   

4. In this menu, add the HTTP Header or HTTP Body values you would like used for the Credential Provider mapping. This means that if these HTTP values are included in the connection request from the Client Workload, this Credential Provider will be used for credential injection. Repeat this process as many times as needed for all of your policy-associated Credential Providers.

   

   • If you would like to use HTTP Header values for your credential mapping, you will see the following dropdown menu:

   

   • If you would like to use HTTP Body values for your credential mapping, you will see the following dropdown menu.

   

5. Click Save when you are finished adding your mapping values. You are directed back to the Credential Provider Mapping page where you see the values you entered for the HTTP Header and HTTP Body fields.

   

   Note

   When you add HTTP mapping values for a Credential Provider and click Save, the red ”!” icon turns to a green checkbox. You also see theses usernames displayed in the Values column.

6. When you return to the Access Policies page, notice that you now see a green “All Mapped” notation in the box for the Credential Providers you just mapped.

   

7. Click Save to save your selections. If you would like to save, and then also activate the credential mapping, click Save & Activate.

   Now, when you return to the Access Policy page, if you hover over the Access Policy, you see the Credential Providers that are mapped to that Access Policy.