...
Note that the fields marked with the shields contain sensitive information, such as secret keys. We recommend that you provide sensitive information through the CDAP Secure Storage API, and you can do this by adding a secure key with the Security HTTP RESTful API. Then, click the shield icon in the UI to select a secure key or, in the case of system compute profiles, type the name of the key. CDAP adds the key as a macro in the form of ${secure(<key_<secure-key-name>)}.
In general, provisioner configuration can be overridden at runtime. To lock certain settings so that they cannot be overridden, click the lock symbol to make the value immutable.