Skip to content

Platform keys

Data Loader uses a key pair to link to your installed CDC agents and allow secure identification. The key pair is required to ensure CDC Agents can communicate securely between your VPC and Matillion's Data Productivity Cloud platform. The key pair allows Matillion to securely communicate with your agent.

How your platform key works

The name of the key in a secrets manager should be stored in the PLATFORM_KEY_NAME template variable.

Once generated, you are required to enter the secret into either AWS Secrets Manager, Azure Key Vault, or Google Secret Manager where your agents can access them. Note that your choice of template might come configured to assume which of these services you will be using and this decision should be made before attempting to use a template.


  1. It's worth remembering that you will be required to enter your source database passwords into Secrets Manager or Key Vault and it might be worth doing so while you are registering your account's secret key.
  2. Even agents not running in the cloud (for example those launched using Kubernetes) require access to Secrets Manager or Key Vault to access the Platform Key and database credentials. :::

Generating the key pair

If you haven't generated a platform secret for your account yet, Data Loader will prompt you to do so when creating a CDC Pipeline.



In the event that you misplace or forget your private key, you can reset your own stored key pair value. :::

Resetting the key pair

If you forget or lose your private key pair value, you can reset your configured key pair in Data Loader UI.

  1. From the Data Loader dashboard, click Manage in the sidebar.
  2. Click CDC key.
  3. Delete the existing configured key pair.
  4. You'll be prompted to confirm the deletion of your key to prevent accidental deletion. To action the deletion, type delete, to confirm you have understood. Click Yes, delete to continue.
  5. On the next page, agree to I have saved the private key in a secrets manager and made a note of the secret name and then click Submit key pair.

This will generate a new key pair value.

Key pair

:::info{title='Note'} Any linked agents will stay connected during the current session. However, if the agent becomes disconnected for any reason and tries to reconnect, your key pair will no longer be valid and you will be prompted to provide a new key pair. :::

Storing your platform secret

The Matillion CDC agent expects to find your platform secret in either Azure Key Vault or AWS Secrets Manager, depending on where the agent is installed.

For specific information on storing secrets in these services, review the following documentation and remember to have your platform secret ready.

Agent installation documentation

Official documentation

Agent environment variables

It is possible to configure manually installed agents to point to either using the following environment variables. If you have installed via an AWS or Azure template then you do not need to configure these.

Environment Variable Description
PLATFORM_KEY_PROVIDER Accepted values are: azure-key-vault or aws-secrets-manager
AZURE_SECRET_KEY_VAULT_URL If PLATFORM_KEY_PROVIDER is azure-key-vault. The URL of your azure key vault. For example,

Matillion CDC agent expects to find this secret stored with the key name agent-rsa by default. We highly recommend using this name and not configuring the below environment variable. It is, however, available for those who wish to use a different key name.

Environment Variable Description
PLATFORM_KEY_NAME The name of your platform secret key. This name must abide by your platform's naming conventions.