Skip to main content
Refreshing a ‘s credentials lets you generate a new client_secret for the in , to authenticate with the application in your infrastructure. You may wish to do this if, for example, your security policy requires that you change secrets on a regular basis.
This action will revoke existing credentials and result in disconnecting a running . You must replace your credentials and restart the to reconnect. Ensure you have no pipelines running on the when you use this feature.

How to refresh Maia runner credentials

  1. In the left navigation, click . Then, select Runners from the menu.
  2. Locate your , and click the three dots , then click Runner details.
  3. Click the Credentials tab.
  4. Click Refresh.
  5. When asked for confirmation, type the word refresh and click Refresh credentials.
  6. When you receive a notification that the credentials are refreshed, you can click Reveal to show the new secret that has been generated.
Apply the new credentials to the in your cloud infrastructure using the relevant guide below: AWS, Azure, Google Cloud, or Snowflake. Until this is done, the status will show as Unknown in the Runners list, and the can’t be used to run pipelines.

Apply the new credentials (AWS)

Once you have refreshed credentials on the Runner details page, follow this process to update your AWS-hosted to use the new credentials. The client_secret used by the is held in your AWS Secrets Manager. The app contains a pointer to this secret, which will not change. To update the secret:
  1. Log in to the AWS Console and locate the ECS service running your . Note the name assigned to the .
  2. In Secrets Manager, locate and select the secret that corresponds to the name you noted.
  3. Click Retrieve secret value to display the existing value, then click Edit.
  4. Copy in the refreshed client_secret value you obtained from . Don’t change the secret name.
  5. Click Save.
Now restart the , as described in Restart a .

Apply the new credentials (Azure)

Once you have refreshed credentials on the Runner details page, follow this process to update your Azure-hosted to use the new credentials.
  1. In the Azure portal, select the Container App that holds your .
  2. In the Container App’s sidebar menu, select Application then containers.
  3. Click the Environment variables tab.
  4. The OAUTH_CLIENT_SECRET variable tells you the name of the secret that holds the client_secret.
  5. In the Container App’s sidebar menu, click SettingsSecrets and locate the secret name you determined above.
  6. Click the edit (pencil) icon next to the secret to edit its value.
  7. Copy the refreshed client_secret you obtained from and paste it into the Value field.
  8. Click the checkbox at the bottom to acknowledge that you want to proceed with the change.
  9. Click Save.
Now restart the , as described in Restart a .

Apply the new credentials (Google Cloud)

Once you have refreshed credentials on the Runner details page, follow this process to update your GKE-hosted to use the new credentials. The client_secret is passed to the via your Helm values file (values-gcp.yaml). To update it:
  1. Open your values-gcp.yaml file.
  2. Replace the value of config.oauthClientSecret with the refreshed client_secret you obtained from .
  3. Run helm upgrade to apply the change:
helm upgrade <RELEASE_NAME> . \
  --namespace <NAMESPACE> \
  -f values-gcp.yaml
Replace <RELEASE_NAME> and <NAMESPACE> with the values used during your original deployment (both default to matillion-agent). The Helm upgrade performs a rolling restart of the pods, which will pick up the new credentials automatically.

Apply the new credentials (Snowflake)

Once you have refreshed credentials on the Runner details screen, you need to update the secret entry in the Snowflake vault. The client_secret used by the is held in your Snowflake vault. Read Secrets in Matillion for Snowflake for details.