Skip to main content

Configure Azure Key Vault

Configure and use Azure Key Vault as a secret provider in Aiven for Apache Kafka® Connect services.

Prerequisites

note

The integration with Azure Key Vault is not yet available on the Aiven Console.

important

Secrets stored in Azure Key Vault must have an expiration date set. Secrets without an expiration date cause the connector to restart continuously.

Configure secret providers

Set up Azure Key Vault in your Aiven for Apache Kafka Connect service to manage and access sensitive information.

Use the ServiceUpdate API to update your service configuration. Add the Azure Key Vault configuration to the user_config using the following API request:

curl --request PUT \
--url https://api.aiven.io/v1/project/{PROJECT_NAME}/service/{SERVICE_NAME} \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"user_config": {
"secret_providers": [
{
"name": "azure",
"azure": {
"auth_method": "credentials",
"client_id": "your-azure-client-id",
"tenant_id": "your-azure-tenant-id",
"secret": "your-azure-client-secret"
}
}
]
}
}'

Parameters:

  • url: API endpoint for updating the service configuration. Replace PROJECT_NAME and SERVICE_NAME with your project and service names.
  • Authorization: Token used for authentication. Replace YOUR_BEARER_TOKEN with your Aiven API token.
  • Content-Type: Specifies that the request body is in JSON format.
  • auth_method: Authentication method used by Azure Key Vault. Set to credentials.
  • client_id: Azure service principal client ID.
  • tenant_id: Azure service principal tenant ID.
  • secret: Azure service principal client secret.

Reference secrets in connector configurations

You can use secrets stored in Azure Key Vault with any connector. The format for referencing secrets is:

${PROVIDER_NAME:VAULT_NAME.vault.azure.net:SECRET_NAME}

Parameters:

  • PROVIDER_NAME: Name of your secret provider configuration, such as azure.
  • VAULT_NAME.vault.azure.net: Your Azure Key Vault hostname without https://.
  • SECRET_NAME: Name of the secret in Azure Key Vault.

The examples below show how to configure secrets for JDBC connectors, but you can follow the same steps for other connectors.

JDBC sink connector

Configure a JDBC sink connector using the API with secrets referenced from Azure Key Vault.

curl --request POST \
--url https://api.aiven.io/v1/project/{PROJECT_NAME}/service/{SERVICE_NAME}/connectors \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"name": "YOUR_CONNECTOR_NAME",
"connector.class": "io.aiven.connect.jdbc.JdbcSinkConnector",
"connection.url": "jdbc:{DATABASE_TYPE}://{HOST}:{PORT}/{DATABASE_NAME}?user=${azure:your-vault.vault.azure.net:db-username}&password=${azure:your-vault.vault.azure.net:db-password}&ssl=require",
"topics": "YOUR_TOPIC",
"auto.create": true
}'

Parameters:

  • PROJECT_NAME: Name of your Aiven project.
  • SERVICE_NAME: Name of your Aiven Kafka service.
  • name: Name of the connector.
  • connector.class: Specifies the connector class to use, in this case, io.aiven.connect.jdbc.JdbcSinkConnector.
  • connection.url: JDBC connection URL with placeholders for DATABASE_TYPE, HOST, PORT, DATABASE_NAME, and the username and password retrieved from Azure Key Vault.
  • topics: Apache Kafka topic where the data can be sent.
  • auto.create: If true, the connector automatically creates the table in the target database if it does not exist.

JDBC source connector

Configure a JDBC source connector using the API with secrets referenced from Azure Key Vault.

curl -X POST https://api.aiven.io/v1/project/{PROJECT_NAME}/service/{SERVICE_NAME}/connectors \
-H "Authorization: Bearer YOUR_BEARER_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "your-source-connector-name",
"connector.class": "io.aiven.connect.jdbc.JdbcSourceConnector",
"connection.url": "jdbc:{DATABASE_TYPE}://{HOST}:{PORT}/{DATABASE_NAME}?ssl=require",
"connection.user": "${azure:your-vault.vault.azure.net:db-username}",
"connection.password": "${azure:your-vault.vault.azure.net:db-password}",
"incrementing.column.name": "id",
"mode": "incrementing",
"table.whitelist": "your-table",
"topic.prefix": "your-prefix_",
"auto.create": "true"
}'

Parameters:

  • PROJECT_NAME: Name of your Aiven project.
  • SERVICE_NAME: Name of your Aiven for Apache Kafka service.
  • name: Name of the connector.
  • connector.class: Specifies the connector class to use, in this case, io.aiven.connect.jdbc.JdbcSourceConnector.
  • connection.url: JDBC connection URL with placeholders for DATABASE_TYPE, HOST, PORT, and DATABASE_NAME.
  • connection.user: Database username retrieved from Azure Key Vault.
  • connection.password: Database password retrieved from Azure Key Vault.
  • incrementing.column.name: Column used for incrementing mode.
  • mode: Mode of operation, in this case, incrementing.
  • table.whitelist: Tables to include.
  • topic.prefix: Prefix for Apache Kafka topics.
  • auto.create: If true, the connector automatically creates the table in the target database if it does not exist.