View the latest documentation 5.5
Secure secrets in Azure KeyVault and use them in Kafka Connect. This plugin must be added to the classpath of each Kafka Connect worker.
# set the jar on the classpath export CLASSPATH=secret-provider-X.X.X-all.jar # start your Connect worker /usr/bin/connect-distributed /etc/kafka/worker.props
Two authentication methods are support:
Example worker properties file:
config.providers=azure config.providers.azure.class=io.lenses.connect.secrets.providers.AzureSecretProvider config.providers.azure.param.azure.auth.method=credentials config.providers.azure.param.azure.client.id=your-client-id config.providers.azure.param.azure.secret.id=your-secret-id config.providers.azure.param.azure.tenant.id=your-tenant-id config.providers.azure.param.file.dir=/connector-files/azure
To use this provider in a connector, reference the keyvault containing the secret and the key name for the value of the connector property.
The indirect reference is in the form ${provider:path:key} where:
For example, if we store two secrets:
in a Keyvault called my-azure-key-vault we would set:
name=my-sink class=my-class topics=mytopic username=${azure:my-azure-key-vault.vault.azure.net:my_username} password=${azure:my-azure-key-vault.vault.azure.net:my_password}
This would resolve at runtime to:
name=my-sink class=my-class topics=mytopic username=lenses password=my-secret-password
The provider handles the following types:
The provider will look for a tag attached to the secret called file-encoding. The value for this tag can be:
The UTF8 means the value returned is the string retrieved for the secret key. The BASE64 means the value returned is the base64 decoded string retrieved for the secret key.
If the value for the tag is UTF8_FILE the string contents as are written to a file. The returned value from the connector configuration key will be the location of the file. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.
If the value for the tag is BASE64_FILE the string contents are based64 decoded and are written to a file. The returned value from the connector configuration key will be the location of the file. For example, if a connector needs a PEM file on disk, set this as the prefix as BASE64_FILE. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.
If no tag is found the contents of the secret string are returned.
On this page