Example | Creating a Dataplex Universal Catalog connection via a CyberArk Vault
In modern enterprise environments, zero-trust security means that technical convenience should never come at the cost of credential exposure. This guide outlines the process of synchronizing Google Dataplex Universal Catalog with Collibra while adhering to strict organizational security policies.
You can integrate your Edge site with your CyberArk vault to implement your organization’s credential management policies for any data source to which Edge connects. We will walk you through setting up this integration, and then using it to create a connection to Dataplex Universal Catalog.
Scenario
You have an Edge site installed on bundled k3s. Your organization has a CyberArk vault, and has asked you to ensure your Edge site is compliant with your credential management policies. To do this, you need to integrate your Edge site with your CyberArk vault.
Once you have this integration in place, you've also been asked to created an Edge connection to Dataplex Universal Catalog. With your new vault integration, you can pull your Dataplex Universal Catalog credentials from CyberArk, instead of manually entering them into Edge.
Learn how to integrate your Edge site with your CyberArk vault using allow-list authentication and create a connection to Dataplex Universal Catalog using your vault.
In this use case guide, you will do the following:
- Set up an integration between your Edge site and CyberArk vault.
- Create a Dataplex Universal Catalog connection using your CyberArk vault.
Prerequisites
On your local server
- You installed your Edge site on bundled k3s.
- You installed and configured the Edge CLI tool.
- You have a CyberArk Vault with allow-list authentication.
Within Collibra
- You have a global role that has the Manage Edge sites global permission.
- Ensure that your environment uses the latest user interface.
-
You Note
If you have defined an outbound (forward) proxy on your Edge site, the integration will take that configuration into account when connecting to the data source. The following proxies are supported:
- Pass through (No authentication)
- Pass through (Basic authentication)
- MITM (No authentication)
- MITM (Basic authentication)
- No proxy for noProxy hosts defined by Edge
- You have added a vault to your Edge site.
- Make sure you are on the latest UI because the Dataplex Universal Catalog integration is available only in the latest UI.
- You have a global role that has the Manage connections and capabilities global permission, for example, Edge integration engineer.
Within CyberArk
- Your CyberArk Vault is configured with either Allowed machines.
- You can administer CyberArk secrets. This includes the ability to do the following in your
CyberArk Vault :
- Create
- Edit
- Delete
- Rotate credentials
- Your CyberArk Credential Provider has GetPassword Web Service available in
/AIMWebService. - If you use a
--caPath, it must be in the X.509 format (PEM encoded).
Within Dataplex Universal Catalog
- You need a Google Cloud Platform service account that can read the Google Cloud Storage (GCS) file system that you want to integrate. This means that the service account must have the following permissions:
storage.buckets.listto list bucketsstorage.objects.listto list objects in a bucket
- If you use Dataplex, the service account must be able to detect file schemas in GCS resources from Dataplex. This means that the service account must have the following permissions, for example, via the Dataplex Viewer role:
dataplex.*.getdataplex.*.list
Create an integration to your CyberArk Vault
We are going to walk you through integrating your Edge site with your CyberArk vault. In this example, we assume that our Edge site is installed on bundled k3s and that our CyberArk Vault uses allow-list authentication.
In the cluster where our Edge site is installed, we use the Edge CLI tool to run the sudo ./edgecli vault create cyber allow-list. There are some command flags we need to specify in order for this integration to work:
- Name: Our vault name is "CyberArk 2026".
- Description: We are going to give our vault a description so anyone who looks at this later understands what this vault is for. The description is "CyberArk vault for Dataplex integrations in 2026.".
- App ID: Our CyberArk server application ID is "123456".
- URL: Our CyberArk url is https://edge-cyberark-server.example.com.
- caPath: The file containing our Certificate Authority is ./certs/ca.crt.
The full command we run in the Edge CLI is:
sudo ./edgecli vault create cyber allow-list CyberArk 2026 \
--desc CyberArk vault for Dataplex integrations in 2026. \
--appId 123456 \
--url https://edge-cyberark-server.example.com \
--caPath ./certs/ca.crtCreate a Dataplex Universal Catalog connection
Now that Collibra is linked to your vault, you can create the Google Cloud Platform (GCP) connection to Dataplex Universal Catalog. Instead of pasting sensitive keys, we will simply point to CyberArk.
In this step, Edge uses your vault query to dynamically retrieve the service account JSON. This creates a secure, automated "handshake" that unlocks the Dataplex Universal Catalog while ensuring your raw credentials never leave the protection of CyberArk.
- Open a site.
-
On the main toolbar, click
→
Settings.
The Settings page opens. -
In the tab pane, click Edge.
The Sites tab opens and shows a table with an overview of your sites. - In the table, click the name of the site whose status is Healthy.
The site page opens.
-
On the main toolbar, click
- In the Connections section, click Create connection.
The Create connection page appears. - Select the GCP connection to connect to Google Cloud Platform.
- Enter the required information.
- Name:
GCP_Prod_Finance_Connection - Description:
- Connection type:
Service account - Service Account / Workload Identity Federation (WIF):
{"type": "service_account", "project_id": "data-prod-123", ...} - Property: Leave blank.
- Name:
- Click Create.
The connection is added to the Edge or Collibra Cloud site.
Sources
- Integrate your Edge site with your vault
- How to access help for Vaults
- Create a Dataplex Universal Catalog connection
You can now create a Dataplex Universal Catalog capability to proceed with metadata ingestion.