Example | Creating a Dataplex Universal Catalog connection via a CyberArk Vault

In modern enterprise environments, zero-trust security means that technical convenience should never come at the cost of credential exposure. This guide outlines the process of synchronizing Google Dataplex Universal Catalog with Collibra while adhering to strict organizational security policies.

You can integrate your Edge site with your CyberArk vault to implement your organization’s credential management policies for any data source to which Edge connects. We will walk you through setting up this integration, and then using it to create a connection to Dataplex Universal Catalog.

Scenario

You have an Edge site installed on bundled k3s. Your organization has a CyberArk vault, and has asked you to ensure your Edge site is compliant with your credential management policies. To do this, you need to integrate your Edge site with your CyberArk vault.

Once you have this integration in place, you've also been asked to created an Edge connection to Dataplex Universal Catalog. With your new vault integration, you can pull your Dataplex Universal Catalog credentials from CyberArk, instead of manually entering them into Edge.

Learn how to integrate your Edge site with your CyberArk vault using allow-list authentication and create a connection to Dataplex Universal Catalog using your vault.

In this use case guide, you will do the following:

  1. Set up an integration between your Edge site and CyberArk vault.
  2. Create a Dataplex Universal Catalog connection using your CyberArk vault.

Prerequisites

On your local server

  • You installed your Edge site on bundled k3s.
  • You installed and configured the Edge CLI tool.
  • You have a CyberArk Vault with allow-list authentication.

Within Collibra

Within CyberArk

  • Your CyberArk Vault is configured with either Allowed machines.
  • You can administer CyberArk secrets. This includes the ability to do the following in your CyberArk Vault :
    • Create
    • Edit
    • Delete
    • Rotate credentials
  • Your CyberArk Credential Provider has GetPassword Web Service available in /AIMWebService.
  • If you use a --caPath, it must be in the X.509 format (PEM encoded).

Within Dataplex Universal Catalog

  • You need a Google Cloud Platform service account that can read the Google Cloud Storage (GCS) file system that you want to integrate. This means that the service account must have the following permissions:
    • storage.buckets.list to list buckets
    • storage.objects.list to list objects in a bucket
  • If you use Dataplex, the service account must be able to detect file schemas in GCS resources from Dataplex. This means that the service account must have the following permissions, for example, via the Dataplex Viewer role:
    • dataplex.*.get
    • dataplex.*.list

Create an integration to your CyberArk Vault

We are going to walk you through integrating your Edge site with your CyberArk vault. In this example, we assume that our Edge site is installed on bundled k3s and that our CyberArk Vault uses allow-list authentication.

In the cluster where our Edge site is installed, we use the Edge CLI tool to run the sudo ./edgecli vault create cyber allow-list. There are some command flags we need to specify in order for this integration to work:

  1. Name: Our vault name is "CyberArk 2026".
  2. Description: We are going to give our vault a description so anyone who looks at this later understands what this vault is for. The description is "CyberArk vault for Dataplex integrations in 2026.".
  3. App ID: Our CyberArk server application ID is "123456".
  4. URL: Our CyberArk url is https://edge-cyberark-server.example.com.
  5. caPath: The file containing our Certificate Authority is ./certs/ca.crt.

The full command we run in the Edge CLI is:

sudo ./edgecli vault create cyber allow-list CyberArk 2026 \
  --desc CyberArk vault for Dataplex integrations in 2026. \
  --appId 123456 \
  --url https://edge-cyberark-server.example.com \
  --caPath ./certs/ca.crt

Create a Dataplex Universal Catalog connection

Now that Collibra is linked to your vault, you can create the Google Cloud Platform (GCP) connection to Dataplex Universal Catalog. Instead of pasting sensitive keys, we will simply point to CyberArk.

In this step, Edge uses your vault query to dynamically retrieve the service account JSON. This creates a secure, automated "handshake" that unlocks the Dataplex Universal Catalog while ensuring your raw credentials never leave the protection of CyberArk.

  1. Open a site.
    1. On the main toolbar, click Products iconCogwheel icon Settings.
      The Settings page opens.
    2. In the tab pane, click Edge.
      The Sites tab opens and shows a table with an overview of your sites.
    3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
  2. In the Connections section, click Create connection.
    The Create connection page appears.
  3. Select the GCP connection to connect to Google Cloud Platform.
  4. Enter the required information.
    • Name: GCP_Prod_Finance_Connection
    • Description:
    • Connection type: Service account
    • Service Account / Workload Identity Federation (WIF): {"type": "service_account", "project_id": "data-prod-123", ...}
    • Property: Leave blank.
  5. Click Create.
    The connection is added to the Edge site.

Sources

  • Integrate your Edge site with your vault
  • How to access help for Vaults
  • Create a Dataplex Universal Catalog connection

What's next

You can now create a Dataplex Universal Catalog capability to proceed with metadata ingestion.