Platform

The Request Manager Agent requires the support of a credentials manager and cloud storage bucket to facilitate data subject request processing. A credentials manager stores client credentials, connection strings, PEM keys, API tokens, etc. that authenticate the agent's various requests, and cloud storage bucket persists the results of access requests so that Personally Identifiable Information (PII) never leaves your private network.

Schemas

The platform object in the DATAGRAIL_AGENT_CONFIG denotes the credentials manager and cloud storage that the Agent should use.

Platform Schema

Fields
credentials_manager	object(CredentialsManager) (required) Credentials manager settings.
storage_manager	object(StorageManager) (required) Cloud storage settings.

JSON Representation

{
    "credentials_manager": object(CredentialsManager),
    "storage_manager": object(StorageManager)
}

CredentialsManager

Fields
provider	enum(CredentialsManagerProvider) (required) The credentials manager provider.
options	object(CredentialsManagerOptions) (optional) Metadata about the credentials manager.

JSON Representation

{
    "provider": enum(CredentialsManagerProvider),
    "options": object(CredentialsManagerOptions)
}

CredentialsManagerProvider

Enums
AWSSSMParameterStore	Amazon Web Services Parameter Store.
AWSSecretsManager	Amazon Web Services Secrets Manager.
AzureKeyVault	Microsoft Azure Key Vault.
GCP	Google Secret Manager.
JSONFile	JSON file for secrets injection.

JSONFile Schema

The JSON file for secrets should contain the credentials in the following format:

JSONFile Schema

{
    "<credentials_name_1>": {
        "<key_1>": "<value_1>",
        "<key_2>": "<value_2>"
    },
    ...
}

Connector credentials should be stored in the same file and format. For example, a Postgres connection credentials would look like:

Example JSONFile for Postgres

{
    "datagrail_credentials": {
        "token": "<DataGrail API token>"
    },
    "datagrail_agent_credentials": {
        "client_id": "<identifier for the credential e.g. 'datagrail'>",
        "client_secret": "<generated password>"
    },
    "postgres": {
        "user": "<DB username>",
        "password": "<DB password>",
        "server": "<server domain name or IP address>",
        "port": "<port, e.g. 5432>",
        "database": "<DB, e.g. BikeStores>"
    }
}

The top-level keys of the JSON file are arbitrary and used to identify the credentials locations in the DATAGRAIL_AGENT_CONFIG. In the above examples, the credentials locations would be datagrail_credentials, datagrail_agent_credentials, and postgres, respectively.

CredentialsManagerOptions

Fields
secret_vault	string (optional) Specifies the Azure Key Vault name. Required when using AzureKeyVault.
project_id	string (optional) Specifies the Google Cloud project ID. Required when using GCP.
filename	string (optional) Specifies the credentials file location/name. Required when using JSONFile.

JSON Representation

{
    "secret_vault": string,
    "project_id": string,
    "filename": string
}

StorageManager

Fields
provider	enum(StorageManagerProvider) (required) The cloud storage manager provider.
options	object(StorageManagerOptions) (optional) Metadata about the storage manager. Required for some providers.

JSON Representation

{
    "provider": enum(StorageManagerProvider),
    "options": object(StoragesManagerOptions)
}

StorageManagerProvider

Enums
AWSS3	string Amazon Web Services S3
AzureBlob	string Microsoft Azure Blob
BackblazeB2	string Backblaze B2
GCPCloudStore	string Google Cloud Storage

StorageManagerOptions

Fields
bucket	string (required) The name of the cloud storage bucket
project_id	string (optional) Required when using AzureBlob or GCPCloudStore to denote the project ID.
region	string (optional) Required when using BackblazeB2 to denote the region.
endpoint	string (optional) Required when using BackblazeB2 to denote the endpoint.

JSON Representation

{
    "bucket": string,
    "project_id": string,
    "region": string,
    "endpoint": string
}