Skip to main content

Enable and configure SASL authentication

Aiven for Apache Kafka® provides multiple authentication methods to secure your Apache Kafka® data, including the highly secure Simple Authentication and Security Layer (SASL).

Enable SASL authentication

  1. Access the Aiven Console and select your Aiven for Apache Kafka service.
  2. Click Service settings.
  3. Scroll to Advanced configuration and click Configure.
  4. In the Advanced configuration window, set kafka_authentication_methods.sasl to Enabled.
  5. Click Save configurations.

The Connection information in the Overview page now allows connections via SASL or Client certificate.

note

Although these connections use a different port, the host, CA, and user credentials remain consistent.

Configure SASL mechanisms

After enabling SASL authentication, fine-tune the active SASL mechanisms for your Aiven for Apache Kafka service. By default, all mechanisms (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512) are enabled. Configure these settings only to disable any mechanisms.

  1. Access the Aiven Console and select your Aiven for Apache Kafka® service.

  2. Click Service settings.

  3. Scroll to Advanced configuration and click Configure.

  4. In the Advanced configuration window, set the corresponding kafka_sasl_mechanisms value to either Enabled or Disabled:

    • PLAIN: kafka_sasl_mechanisms.plain
    • SCRAM-SHA-256: kafka_sasl_mechanisms.scram_sha_256
    • SCRAM-SHA-512: kafka_sasl_mechanisms.scram_sha_512

  5. Click Save configurations.

note
  • At least one SASL mechanism must remain enabled. Disabling all results in an error.
  • OAUTHBEARER is enabled if sasl_oauthbearer_jwks_endpoint_url is specified.