Enable and configure SASL authentication
Aiven for Apache Kafka® provides multiple authentication methods to secure your Apache Kafka® data, including the highly secure Simple Authentication and Security Layer (SASL).
Enable SASL authentication
- Aiven Console
- CLI
- API
- Access the Aiven Console and select your Aiven for Apache Kafka service.
- Click Service settings.
- Scroll to Advanced configuration and click Configure.
- In the Advanced configuration window, set
kafka_authentication_methods.sasl
to Enabled. - Click Save configurations.
The Connection information in the Overview page now allows connections via SASL or Client certificate.
Although these connections use a different port, the host, CA, and user credentials remain consistent.
Enable SASL authentication for your Aiven for Apache Kafka service using Aiven CLI:
-
Get the name of the Aiven for Apache Kafka service:
avn service list
Note the
SERVICE_NAME
corresponding to your Aiven for Apache Kafka service. -
Enable SASL authentication:
avn service update SERVICE_NAME -c kafka_authentication_methods.sasl=true
Parameters:
SERVICE_NAME
: Name of your Aiven for Apache Kafka service.kafka_authentication_methods.sasl
: Set totrue
to enable SASL authentication.
Use the ServiceUpdate API to enable SASL authentication on an existing service:
curl -X PUT "https://console.aiven.io/v1/project/{project_name}/service/{service_name}" \
-H "Authorization: Bearer <API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{
"user_config": {
"kafka_authentication_methods": {
"sasl": true
}
}
}'
Parameters:
project_name
: Name of your Aiven project.service_name
: Name of your Aiven for Apache Kafka service.API_TOKEN
: Personal Aiven token.kafka_authentication_methods.sasl
: Set totrue
to enable SASL authentication.
Configure SASL mechanisms
After enabling SASL authentication, fine-tune the active SASL mechanisms for your Aiven for Apache Kafka service. By default, all mechanisms (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512) are enabled. Configure these settings only to disable any mechanisms.
- Aiven Console
- CLI
- API
-
Access the Aiven Console and select your Aiven for Apache Kafka® service.
-
Click Service settings.
-
Scroll to Advanced configuration and click Configure.
-
In the Advanced configuration window, set the corresponding
kafka_sasl_mechanisms
value to eitherEnabled
orDisabled
:- PLAIN:
kafka_sasl_mechanisms.plain
- SCRAM-SHA-256:
kafka_sasl_mechanisms.scram_sha_256
- SCRAM-SHA-512:
kafka_sasl_mechanisms.scram_sha_512
- PLAIN:
-
Click Save configurations.
Configure SASL mechanisms for your Aiven for Apache Kafka service using Aiven CLI:
-
Get the name of the Aiven for Apache Kafka service:
avn service list
Note the SERVICE_NAME
corresponding to your Aiven for Apache Kafka service.
-
Configure specific mechanisms:
avn service update SERVICE_NAME \
-c kafka_sasl_mechanisms.plain=true \
-c kafka_sasl_mechanisms.scram_sha_256=true \
-c kafka_sasl_mechanisms.scram_sha_512=trueParameters:
SERVICE_NAME
: Name of your Aiven for Apache Kafka service.kafka_sasl_mechanisms.plain
: Set totrue
to enable the PLAIN mechanism.kafka_sasl_mechanisms.scram_sha_256
: Set totrue
to enable the SCRAM-SHA-256 mechanism.kafka_sasl_mechanisms.scram_sha_512
: Set totrue
to enable the SCRAM-SHA-512 mechanism.
Use the ServiceUpdate API to enable SASL authentication on an existing service:
curl -X PUT "https://console.aiven.io/v1/project/{project_name}/service/{service_name}" \
-H "Authorization: Bearer <API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{
"user_config": {
"kafka_authentication_methods": {
"sasl": true
}
}
}'
Parameters:
project_name
: Name of your Aiven project.service_name
: Name of your Aiven for Apache Kafka service.API_TOKEN
: API token for authentication.kafka_sasl_mechanisms.plain
: Set totrue
orfalse
to enable or disable the PLAIN mechanism.kafka_sasl_mechanisms.scram_sha_256
: Set totrue
orfalse
to enable or disable the SCRAM-SHA-256 mechanism.kafka_sasl_mechanisms.scram_sha_512
: Set totrue
orfalse
to enable or disable the SCRAM-SHA-512 mechanism.
- At least one SASL mechanism must remain enabled. Disabling all results in an error.
OAUTHBEARER
is enabled ifsasl_oauthbearer_jwks_endpoint_url
is specified.