Skip to content

Platform keys

Data Loader uses a key pair to securely link to your installed CDC agents. The key pair is required to ensure CDC agents can communicate between your VPC and the Data Productivity Cloud.

How your platform key works

The name of the key in your secrets manager should be stored in the PLATFORM_KEY_NAME template variable.

Once generated, you are required to enter the secret into either AWS Secrets Manager, Azure Key Vault, or Google Secret Manager, where your agents can access them. Note that your choice of template might come configured to assume which of these services you will be using, and this decision should be made before attempting to use a template.


  1. You will need to enter your source database passwords into your secrets manager. You may wish to do so while you are registering your account's secret key.
  2. Even agents not running in the cloud (for example, those launched using Kubernetes) require access to your secrets manager to access the platform key and database credentials.

Generating the key pair

If you haven't generated a platform secret for your account yet, Data Loader will prompt you to do so when creating a CDC pipeline.


If you misplace or forget your private key, you can reset your own stored key pair value.

Resetting the key pair

If you forget or lose your private key pair value, you can reset your configured key pair in the Data Loader user interface.

  1. From the Data Loader dashboard, click Manage in the sidebar.
  2. Click CDC key.
  3. Delete the existing configured key pair.
  4. You'll be prompted to confirm the deletion of your key to prevent accidental deletion. Type delete, to confirm you have understood. Click Yes, delete to continue.
  5. On the next page, agree to I have saved the private key in a secrets manager and made a note of the secret name and then click Submit key pair.

This will generate a new key pair value.


Any linked agents will stay connected during the current session. However, if the agent becomes disconnected for any reason and tries to reconnect, your key pair will no longer be valid and you will be prompted to provide a new key pair.

Storing your platform secret

The Matillion CDC agent expects to find your platform secret in either AWS Secrets Manager, Azure Key Vault, or Google Secret Manager, depending on where the agent is installed.

For specific information on storing secrets in these services, review the following documentation and remember to have your platform secret ready.

Agent installation documentation

Cloud platform documentation

Agent environment variables

You can set up manually installed agents to use the following environment variables. If you have installed via an AWS or Azure template then you do not need to configure these.

Environment Variable Description
PLATFORM_KEY_PROVIDER Accepted values are: azure-key-vault or aws-secrets-manager.
AZURE_SECRET_KEY_VAULT_URL If PLATFORM_KEY_PROVIDER is azure-key-vault. The URL of your Azure key vault. For example,

The CDC agent expects to find this secret stored with the key name agent-rsa by default. We highly recommend using this name and not configuring the below environment variable. It is, however, available for those who wish to use a different key name.

Environment Variable Description
PLATFORM_KEY_NAME The name of your platform secret key. This name must abide by your platform's naming conventions.