AES256
Secure Kafka Connect secrets with AES256 encryption.
This page describes install the Lenses Secret Providers for Kafka Connect.
Add the plugin to the worker classloader isolation via the plugin.path option:
plugin.path=/usr/share/connectors,/opt/secret-providersFor Azure do not use the classloader isolation (plugin.path) that Kafka Connect provides. The Azure SDK uses the default classloader and will not find the HTTP client.
To allow for secret rotation add config.action.reload to your Connect workers properties files.
This property accepts one of two options:
none - No action happens at a connector failure (e.g. it can no longer connect to an external system)
restart - The work will schedule a restart of the connector
Secrets will only be reloaded if the Connector restarts.
To use this provider in a connector, reference the ENVSecretProvider environment variable providing the value of the connector property.
The indirect reference is in the form ${provider::key} where:
provider is the name of the provider in the worker property file set above
key is the name of the environment variable holding the secret.
For example, if we store two secrets as environment variables:
MY_ENV_VAR_USERNAME with the value lenses and
MY_ENV_VAR_PASSWORD with the value my-secret-password
we would set:
This would resolve at runtime to:
This provider inspects the value of the environment to determine how to process the value. The value can optionally provide value metadata to support base64 decoding and writing values to files.
To provide metadata the following patterns are expected:
where value is the actual payload and metadata can be one of the following:
ENV-base64 - the provider will attempt to base64 decode the value string
ENV-mounted-base64 - the provider will attempt to base64 decode the value string and write to a file
ENV-mounted - the provider will write the value to a file
if no metadata is found the value of the environment variable is returned.
config.providers=env
config.providers.env.class=io.lenses.connect.secrets.providers.ENVSecretProvider
config.providers.env.param.file.dir=my-secret-dirname=my-sink
class=my-class
topics=mytopic
username=${env::MY_ENV_VAR_USERNAME}
password=${env::MY_ENV_VAR_PASSWORD}name=my-sink
class=my-class
topics=mytopic
username=lenses
password=my-secret-passwordDecodes values encoded with AES-256 to enable passing encrypted values to connectors.
Secrets will only be reloaded if the Connector restarts.
Add the plugin to the worker classloader isolation via the plugin.path option:
The provider gets AES-256 encrypted value as a key and simply decrypts it to get the value (instead of e.g. looking up for the value somewhere).
The AES-256 encryption used for the value needs to be prefixed with base64 encoded initialisation vector and a space character, the encrypted value is also base64 encoded. So to corretly encrypt value1 I need to follow following steps:
encrypted-bytes = aes-256 encrypted value1
encrypted-base64 = base64 encrypted-bytes
initialisation-vector = random bytes
iv-base64 = base64 initialisation-vector
encrypted-value = iv-base64 + + encrypted-base64
The plugin needs to be configured with secret key that will be used for decoding. The key is a string and needs to have size of 32 bytes (UTF-8 encoded).
aes256.key
Secret key used for encrypting and decrypting the value. String of 32 bytes.
Example worker properties file:
To use this provider in a connector, reference the keyvault containing the secret and the key name for the value of the connector property.
The indirect reference is in the form ${provider:path:key} where:
provider is the name of the provider in the worker property file set above
path used to provide encoding of the value: utf8, utf8_file, base64, base64_file
key is the AES-256 encrypted value to be decrypted by the plugin
For example, if hello aes-256 encrypted using some key equals to xyxyxy - then if I configure connector to use ${aes256::xyxyxy} for a parameter value, the value should be substituted with “hello” string:
This would resolve at runtime to:
path belonging to key reference is used to specify encoding used to pass the value. The provider supports following encodings:
base64: base-64 encoding of the textual value
base64_file: base-64 encoding of the value that when decrypted should be stored in the file
utf8_file: utf-8 encoding of the value that when decrypted should be stored in the file
utf8: utf-8 encoding of textual value
The UTF8 means the value returned is the decrypted value of the encrypted value (key). The BASE64 means the value returned is the base64 decoded decrypted value of the encrypted value (key).
If the value for the encoding is UTF8_FILE the string contents are written to a file. The name of the file will be randomply generated. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.
If the value for the encoding is BASE64_FILE the string contents are based64 decoded and written to a file. The name of the file will be randomply generated. For example, if a connector needs a PEM file on disk, set this as the path as BASE64_FILE. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.
If the key reference path is not set or is set to unknown value - utf8 encoding is used as default.
For example, if we want to save hi there ! to the file, and aes-256 encrypted content equals xyxyxy - then if I configure connector to use ${aes256:utf8_file:xyxyxy} for a parameter value, the provider will create new file with random name (abc-def-ghi) and store hi there ! to the file. If configured store directory is /store-root, he value will be substituted with /store-root/secrets/abc-def-ghi string:
resolves to
plugin.path=/usr/share/connectors,/opt/secret-providersconfig.providers=aes256
config.providers.aes256.class=io.lenses.connect.secrets.providers.Aes256DecodingProvider
config.providers.aes256.param.aes256.key=aaaaaaaaaabbbbbbbbbbccccccccccdd
config.providers.aes256.param.file.dir=/tmp/aes256name=my-sink
class=my-class
topics=mytopic
greeting=${aes256::xyxyxy}name=my-sink
class=my-class
topics=mytopic
greeting=helloname=my-sink
class=my-class
topics=mytopic
greeting=${aes256:utf8_file:xyxyxy}name=my-sink
class=my-class
topics=mytopic
greeting=/store-root/secrets/abc-def-ghicredentials. When using this configuration the client-id, tenant-id and secret-id for an Azure service principal that has access to key vaults must be provided
default. This method uses the default credential provider chain from Azure. The default credential first checks environment variables for configuration. If the environment configuration is incomplete, it will try to use managed identities.
azure.auth.method
Azure authenticate method. ‘credentials’ to use the provided credentials or ‘default’ for the standard Azure provider chain
credentials
azure.client.id
Azure client id for the service principal. Valid is auth.method is ‘credentials’
azure.tenant.id
Azure tenant id for the service principal. Valid is auth.method is ‘credentials’
Example worker properties file:
To use this provider in a connector, reference the keyvault containing the secret and the key name for the value of the connector property.
The indirect reference is in the form ${provider:path:key} where:
provider is the name of the provider in the worker property file set above
path is the URL of the Azure KeyVault. DO NOT provide the https:// protocol for the in the keyvault name as the Connect worker will not parse it correctly
key is the name of the secret key in the Azure KeyVault
For example, if we store two secrets:
my_username with the value lenses and
my_password with the value my-secret-password
in a Keyvault called my-azure-key-vault we would set:
This would resolve at runtime to:
The provider handles the following types:
utf_8
base64
The provider will look for a tag attached to the secret called file-encoding. The value for this tag can be:
UTF8
UTF_FILE
BASE64
BASE64_FILE
The UTF8 means the value returned is the string retrieved for the secret key. The BASE64 means the value returned is the base64 decoded string retrieved for the secret key.
If the value for the tag is UTF8_FILE the string contents as are written to a file. The returned value from the connector configuration key will be the location of the file. The file location is determined by the file.dir configuration option is given to the provider via the Connect worker.properties file.
If the value for the tag is BASE64_FILE the string contents are based64 decoded and are written to a file. The returned value from the connector configuration key will be the location of the file. For example, if a connector needs a PEM file on disk, set the prefix as BASE64_FILE. The file location is determined by the file.dir configuration option is given to the provider via the Connect worker.properties file.
If no tag is found the contents of the secret string are returned.
config.providers=azure
config.providers.azure.class=io.lenses.connect.secrets.providers.AzureSecretProvider
config.providers.azure.param.azure.auth.method=credentials
config.providers.azure.param.azure.client.id=your-client-id
config.providers.azure.param.azure.secret.id=your-secret-id
config.providers.azure.param.azure.tenant.id=your-tenant-id
config.providers.azure.param.file.dir=/connector-files/azurename=my-sink
class=my-class
topics=mytopic
username=${azure:my-azure-key-vault.vault.azure.net:my_username}
password=${azure:my-azure-key-vault.vault.azure.net:my_password}name=my-sink
class=my-class
topics=mytopic
username=lenses
password=my-secret-passwordazure.secret.id
Azure secret id for the service principal. Valid is auth.method is ‘credentials’
file.dir
The base location for any files to stored
This page describes how to retrieve secrets from AWS Secret Manager for use in Kafka Connect.
Secure secrets in AWS Secret Manager and use them in Kafka Connect.
Secrets will only be reloaded if the Connector restarts.
Two authentication methods are supported:
credentails. When using this configuration the access-key and secret-key are used.
default. This method uses the default credential provider chain from AWS. The default credential first checks environment variables for configuration. If the environment configuration is incomplete, Java props, then the profile file and finally it will try managed identity.
Example Worker Properties
To use this provider in a connector, reference the SecretManager containing the secret and the key name for the value of the connector property.
The indirect reference is in the form ${provider:path:key} where:
provider is the name of the provider in the worker property file set above
path is the name of the secret
key is the name of the secret key in secret to retrieve. AWS can store multiple keys under a path.
For example, if we store two secrets as keys:
my_username_key with the value lenses and
my_password_key with the value my-secret-password
in a secret called my-aws-secret we would set:
This would resolve at runtime to:
AWS SecretManager BinaryString (API only), is not supported. The secrets must be stored under the secret name in key, value pair format. The provider checks the SecretString API and expects a JSON string to be returned.
For example for an RDS Postgre secret, the following is returned by AWS Secret Manager:
The provider handles the following types:
utf_8
base64
The provider will look for keys prefixed with:
UTF8
UTF_FILE
BASE64
BASE64_FILE
The UTF8 means the value returned is the string retrieved for the secret key. The BASE64 means the value returned is the base64 decoded string retrieved for the secret key.
If the value for the tag is UTF8_FILE the string contents are written to a file. The returned value from the connector configuration key will be the location of the file. The file location is determined by the file.dir configuration option is given to the provider via the Connect worker.properties file.
If the value for the tag is BASE64_FILE the string contents are based64 decoded and written to a file. The returned value from the connector configuration key will be the location of the file. For example, if a connector needs a PEM file on disk, set the prefix as BASE64_FILE. The file location is determined by the file.dir configuration option is given to the provider via the Connect worker.properties file.
If no prefix is found the contents of the secret string are returned.
AWS region the for the Secrets manager
file.dir
The base location for any files to stored
file.write
Writes secrets to file on path. Required for Java trust stores, key stores, certs that need to be loaded from file. For ease of use for the secret provider, this is disabled by default.
false
secret.default.ttl
If no TTL is configured in AWS Secrets Manager, apply a default TTL (in milliseconds).
(not enabled)
aws.endpoint.override
Specify the secret provider endpoint.
(not enabled)
secret.type
Specify the type of secrets stored in Secret Manager. Defaults to JSON, to enable String secret values set this property as STRING.
JSON
aws.auth.method
AWS authenticate method. ‘credentials’ to use the provided credentials or ‘default’ for the standard AWS provider chain
credentials
aws.access.key
AWS client key. Valid is auth.method is ‘credentials’
aws.secret.key
AWS secret key. Valid is auth.method is ‘credentials’
aws.region
config.providers=aws
config.providers.aws.class=io.lenses.connect.secrets.providers.AWSSecretProvider
config.providers.aws.param.aws.auth.method=credentials
config.providers.aws.param.aws.access.key=your-client-key
config.providers.aws.param.aws.secret.key=your-secret-key
config.providers.aws.param.aws.region=your-region
config.providers.aws.param.file.dir=/connector-files/awsname=my-sink
class=my-class
topics=mytopic
username=${aws:my-aws-secret:my_username_key}
password=${aws:my-aws-secret:my_password_key}name=my-sink
class=my-class
topics=mytopic
username=lenses
password=my-secret-password{
"username": "xxx",
"password": "xxx",
"engine": "postgres",
"host": "xxx",
"port": 5432,
"dbname": "xxx",
"dbInstanceIdentifier": "xxxx"
}This page describes how to retrieve secrets from Hashicorp Vault for use in Kafka Connect.
Secure secrets in Hashicorp Vault and use them in Kafka Connect.
Secrets will only be reloaded if the Connector restarts.
Multiple authentication methods are supported:
approle
userpass
kubernetes
cert
token
ldap
gcp
awsiam
jwt
github
file.dir
The base location for any files to be stored
file.write
Writes secrets to file on path. Required for Java trust stores, key stores, certs that need to be loaded from file. For ease of use for the secret provider, this is disabled by default.
vault.auth.method
Available values are approle, userpass, kubernetes, cert, token, ldap, gcp, awsiam, jwt, github, token
vault.addr
Address of the Vault server
vault.token
Use when ‘vault.auth.method’ is ‘token’ to specify the token value
Example Worker Properties
To use this provider in a connector, reference the Hashicorp Vault containing the secret and the key name for the value of the connector property.
The indirect reference is in the form ${provider:path:key} where:
provider is the name of the provider in the worker property file set above
path is the path of the secret in Hashicorp Vault
key is the name of the secret key in secret to retrieve. Vault can store multiple keys under a path.
For example, if we store two secrets as keys:
my_username_key with the value lenses and
my_password_key with the value my-secret-password
in a secret called secret/my-vault-secret we would set:
This would resolve at runtime to:
The provider handles the following types:
utf_8
base64
The provider will look for keys prefixed with:
UTF8
UTF_FILE
BASE64
BASE64_FILE
The UTF8 means the value returned is the string retrieved for the secret key. The BASE64 means the value returned is the base64 decoded string retrieved for the secret key.
If the value for the tag is UTF8_FILE the string contents are written to a file. The returned value from the connector configuration key will be the location of the file. The file location is determined by the file.dir configuration option is given to the provider via the Connect worker.properties file.
If the value for the tag is BASE64_FILE the string contents are based64 decoded and are written to a file. The returned value from the connector configuration key will be the location of the file. For example, if a connector needs a PEM file on disk set the prefix as BASE64_FILE. The file location is determined by the file.dir configuration option is given to the provider via the Connect worker.properties file.
If no prefix is found the contents of the secret string are returned.
config.providers=vault
config.providers.vault.class=io.lenses.connect.secrets.providers.VaultSecretProvider
config.providers.vault.param.vault.addr=http://localhost:8200
config.providers.vault.param.vault.auth.method=token
config.providers.vault.param.vault.token=my-token
config.providers.vault.param.file.dir=/connector-files/vaultname=my-sink
class=my-class
topics=mytopic
username=${vault:secret/my-vault-secret:my_username_key}
password=${vault:secret/my-vault-secret:my_password_key}name=my-sink
class=my-class
topics=mytopic
username=lenses
password=my-secret-passwordvault.namespace
Set a global namespace to the Vault server instance. Requires Vault Enterprise Pro
vault.pem
File containing the Vault Server certificate content as string
vault.client.pem
File containing the Client certificate string content as string
vault.engine.version
KV Secrets Engine version of the Vault server instance. Default is 2
vault.ssl.truststore.location
The location of the trust store file
vault.ssl.keystore.location
The location of the key store file
vault.ssl.keystore.password
The password for the key store file
secret.default.ttl
If no TTL is configured in Vault, apply a default TTL.
app.role.id
Use when vault.auth.method is approle or kubernetes to specify the Vault App role id
app.role.secret.id
Use when vault.auth.method is approle tp specify the Vault App role name secret id
app.role.path
Use when vault.auth.method is approle to specify the Vault App role path
username
Use when vault.auth.method is userpass to specify the username to connect to Vault
password
Use when vault.auth.method is userpass to specify the password to connect to Vault
mount
Use when vault.auth.method is userpass to specify the mount name of the userpass authentication back end
ldap.username
Use when vault.auth.method is ldap to specify the LDAP username to connect to Vault with
ldap.password
Use when vault.auth.method is ldap to specify the LDAP password to connect to Vault with
mount
Use when vault.auth.method is ldap to specify the mount name of the ldap authentication back end
jwt.role
Use when vault.auth.method is jwt to specify the role the JWT token belongs to
jwt.provider
Use when vault.auth.method is jwt to specify the provider of the JWT token
jwt
Use when vault.auth.method is jwt to specify the JWT token
gcp.role
Use when vault.auth.method is gcp to specify the gcp role used for authentication
gcp.jwt
Use when vault.auth.method is gcp to specify the JWT token
cert.mount
Use when vault.auth.method is cert to specify the mount name of the cert authentication back end
github.token
Use when vault.auth.method is github to specify the github app-id to use for authentication
github.mount
Use when vault.auth.method is github to specify the mount name of the github authentication back end
kubernetes.role
Use when vault.auth.method is kubernetes to specify the kubernetes role for authentication
kubernetes.token.path
Use when vault.auth.method is kubernetes to specify the path to the service account token . Default is /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes.auth.path
Use when vault.auth.method is kubernetes to specify a custom mount path
aws.role
Use when vault.auth.method is awsiam.
Name of the role to login. If role is not specified, the login endpoint uses the role bearing the name of the AMI ID of the EC2 instance or if using the ec2 auth method the friendly name (i.e., role name or username) of the IAM authenticated principal
aws.request.url
Use when vault.auth.method is awsiam.
PKCS7 signature of the identity document with all n characters removed. Base64-encoded HTTP URL used in the signed request (i.e. base64-encoding of https://sts.amazonaws.com) as most requests will probably use POST with an empty URI
aws.request.body
Use when vault.auth.method is awsiam.
Base64-encoded body of the signed request i.e. base64 of Action=GetCallerIdentity&Version=2011-06-15
aws.request.headers
Use when vault.auth.method is awsiam to specify any request headers
aws.mount
Use when vault.auth.method is awsiam. The AWS auth mount. Default is “aws”
