4.0

AWS Secret Manager

Secure secrets in AWS Secret Manager and use them in Kafka Connect.

Add the plugin to the worker classloader isolation via the plugin.path option:

plugin.path=/usr/share/connectors,/opt/secret-providers

Two authentication methods are support:

  1. credentails. When using this configuration the access-key and secret-key are used.
  2. default. This method uses the default credential provider chain from AWS. The default credential first checks environment variables for configuration. If environment configuration is incomplete, Java props, then profile file and finally it will try managed identity.

Configuring the plugin 


NameDescriptionDefault
aws.auth.methodAWS authenticate method. ‘credentials’ to use the
provided credentials or ‘default’ for the standard AWS provider chain
credentials
aws.access.keyAWS client key. Valid is auth.method is ‘credentials’
aws.secret.keyAWS secret key. Valid is auth.method is ‘credentials’
aws.regionAWS region the for the Secrets manager
file.dirThe base location for any files to stored

Example Worker Properties

config.providers=aws
config.providers.aws.class=io.lenses.connect.secrets.providers.AWSSecretProvider
config.providers.aws.param.aws.auth.method=credentials
config.providers.aws.param.aws.access.key=your-client-key
config.providers.aws.param.aws.secret.key=your-secret-key
config.providers.aws.param.aws.region=your-region
config.providers.aws.param.file.dir=/connector-files/aws

Usage 

To use this provider in a connector, reference the SecretManager containing the secret and the key name for the value of the connector property.

The indirect reference is in the form ${provider:path:key} where:

  • provider is the name of the provider in the worker property file set above
  • path is the name of the secret
  • key is the name of the secret key in secret to retrieve. AWS can store multiple keys under a path.

For example, if we store two secrets as keys:

  • my_username_key with the value lenses and
  • my_password_key with the value my-secret-password

in a secret called my-aws-secret we would set:

name=my-sink
class=my-class
topics=mytopic
username=${aws:my-aws-secret:my_username_key}
password=${aws:my-aws-secret:my_password_key}

This would resolve at runtime to:

name=my-sink
class=my-class
topics=mytopic
username=lenses
password=my-secret-password

Data encoding 

AWS SecretManager BinaryString (API only), is not supported. The secrets must be stored under the secret name in key, value pair format. The provider checks the SecretString API and expects a json string to be returned.

For example for an RDS Postgre secret, the following is returned by AWS Secret Manager:

{
"username": "xxx",
"password": "xxx",
"engine": "postgres",
"host": "xxx",
"port": 5432,
"dbname": "xxx",
"dbInstanceIdentifier": "xxxx"
}

The provider handles the following types:

  • utf_8
  • base64

The provider will look for keys prefixed with:

  • UTF8
  • UTF_FILE
  • BASE64
  • BASE64_FILE

The UTF8 means the value returned is the string retrieved for the secret key. The BASE64 means the value returned is the base64 decoded string retrieved for the secret key.

If the value for the tag is UTF8_FILE the string contents are written to a file. The returned value from the connector configuration key will be the location of the file. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.

If the value for the tag is BASE64_FILE the string contents are based64 decoded and written to a file. The returned value from the connector configuration key will be the location of the file. For example, if a connector needs a PEM file on disk, set this as the prefix as BASE64_FILE. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.

If no prefix is found the contents of the secret string are returned.