KeyVaultConfigProvider

com.github.jcustenborder.kafka.config.azure.KeyVaultConfigProvider

This config provider is used to retrieve secrets from the Microsoft Azure Key Vault service.

Tip

Config providers can be used with anything that supports the AbstractConfig base class that is shipped with Apache Kafka.

Secret Value

The value for the secret must be formatted as a JSON object. This allows multiple keys of data to be stored in a single secret. The name of the secret in Microsoft Azure Key Vault will correspond to the path that is requested by the config provider.

Example Secret Value
{
  "username" : "db101",
  "password" : "superSecretPassword"
}

Secret Retrieval

The ConfigProvider will use the name of the secret to build the request to the Key Vault service. This behavior can be overridden by setting config.providers.keyVault.param.prefix=staging- and requested the secret with ${keyVault:test-secret}, the ConfigProvider will build a request for staging-test-secret. Some behaviors can be overridden by query string parameters. More than one query string parameter can be used. For example ${keyVault:test-secret?ttl=30000&version=1} would return the secret named test-secret version 1 with a TTL of 30 seconds. After the TTL has expired the ConfigProvider will request an updated credential. If you’re using this with Kafka Connect, your tasks will be reconfigured if one of the values have changed.

Parameter Description Default Example
ttl Used to override the TTL for the secret. Value specified by config.providers.keyVault.param.secret.ttl.ms ${keyVault:test-secret?ttl=60000}
version Used to override the version of the secret. latest ${keyVault:test-secret?version=1}

Configuration

General

vault.url

The vault url to connect to. For example https://example.vault.azure.net/

Importance: HIGH

Type: STRING

client.id

The client ID of the application.

Importance: HIGH

Type: STRING

credential.type

The type of credentials to use. ClientCertificate - Uses the ClientCertificateCredential., ClientSecret - Uses the ClientSecretCredential., DefaultAzure - Uses the DefaultAzureCredential., UsernamePassword - Uses the UsernamePasswordCredential.

Importance: HIGH

Type: STRING

Default Value: DefaultAzure

Validator: Matches: DefaultAzure, ClientSecret, ClientCertificate, UsernamePassword

tenant.id

The tenant ID of the application.

Importance: HIGH

Type: STRING

secret.prefix

Sets a prefix that will be added to all paths. For example you can use staging or production and all of the calls to Secrets Manager will be prefixed with that path. This allows the same configuration settings to be used across multiple environments.

Importance: LOW

Type: STRING

secret.ttl.ms

The minimum amount of time that a secret should be used. After this TTL has expired Secrets Manager will be queried again in case there is an updated configuration.

Importance: LOW

Type: LONG

Default Value: 300000

Validator: [1000,…]

Client Certificate

client.certificate.path

Location on the local filesystem for the client certificate that will be used to authenticate to Azure.

Importance: HIGH

Type: STRING

client.certificate.pfx.password

The password protecting the PFX file.

Importance: HIGH

Type: PASSWORD

Default Value: [hidden]

client.certificate.send.certificate.chain.enabled

Flag to indicate if certificate chain should be sent as part of authentication request.

Importance: HIGH

Type: BOOLEAN

client.certificate.type

The type of encoding used on the file specified in client.certificate.path. PEM - Certificate is formatted using PEM encoding., PFX - Certificate is formatted using PFX encoding. client.certificate.pfx.password is required.

Importance: HIGH

Type: STRING

Default Value: PEM

Validator: Matches: PEM, PFX

Client Secret

client.secret

The client secret for the authentication.

Importance: HIGH

Type: PASSWORD

Default Value: [hidden]

Username and Password

password

The password to authenticate with.

Importance: HIGH

Type: PASSWORD

Default Value: [hidden]

username

The username to authenticate with.

Importance: HIGH

Type: STRING