Skip to main content

Configure HashiCorp Vault

Configure and use HashiCorp Vault as a secret provider in Aiven for Apache Kafka® Connect services.

Prerequisites

note

The integration with HashiCorp Vault is not yet available on the Aiven Console.

Configure secret providers

Set up HashiCorp Vault in your Aiven for Apache Kafka Connect service to manage and access sensitive information.

Use the ServiceUpdate API to update your service configuration. Add the HashiCorp Vault configuration to the user_config using the following API request:

curl --request PUT \
--url https://api.aiven.io/v1/project/{PROJECT_NAME}/service/{SERVICE_NAME} \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"user_config": {
"secret_providers": [
{
"name": "vault",
"vault": {
"auth_method": "token",
"address": "https://vault.aiven.fi:8200/
"token": "YOUR_VAULT_TOKEN"
}
}
]
}
}'

Parameters:

  • PROJECT_NAME: Name of your Aiven project.
  • SERVICE_NAME: Name of your Aiven Kafka service.
  • url: API endpoint for updating service configuration. Replace {project_name} and {service_name} with your project and service names.
  • Authorization: Token used for authentication. Replace YOUR_BEARER_TOKEN with your Aiven API token.
  • Content-Type: Specifies that the request body is in JSON format.
  • auth_method: Authentication method used by HashiCorp Vault. In this case, it is token.
  • address: Address of the HashiCorp Vault server.
  • token: Your HashiCorp Vault token.

Reference secrets in connector configurations

You can use secrets stored in HashiCorp Vault with any connector. The examples below show how to configure secrets for JDBC connectors, but you can follow the same steps for other connectors.

JDBC sink connector

Configure a JDBC sink connector using the API with secrets referenced from HashiCorp Vault:

curl -X POST https://api.aiven.io/v1/project/{PROJECT_NAME}/service/{SERVICE_NAME}/connectors \
-H "Authorization: Bearer YOUR_BEARER_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "your-connector-name",
"connector.class": "io.aiven.connect.jdbc.JdbcSinkConnector",
"connection.url": "jdbc:{DATABASE_TYPE}://{HOST}:{PORT}/{DATABASE_NAME}?user=${vault:PATH/TO/SECRET:USERNAME}&password=${vault:PATH/TO/SECRET:PASSWORD}&ssl=require",
"topics": "your-topic",
"auto.create": true
}'

Parameters:

  • PROJECT_NAME: Name of your Aiven project.
  • SERVICE_NAME: Name of your Aiven Kafka service.
  • name: Name of the connector.
  • connector.class: Specifies the connector class to use, in this case, io.aiven.connect.jdbc.JdbcSinkConnector.
  • connection.url: JDBC connection URL with placeholders for DATABASE_TYPE, HOST, PORT, DATABASE_NAME, and the username and password retrieved from HashiCorp Vault.
  • topics: Apache Kafka topic where the data can be sent.
  • auto.create: If true, the connector automatically creates the table in the target database if it does not exist.

JDBC source connector

Configure a JDBC source connector using the API with secrets referenced from HashiCorp Vault:

curl -X POST https://api.aiven.io/v1/project/{PROJECT_NAME}/service/{SERVICE_NAME}/connectors \
-H "Authorization: Bearer YOUR_BEARER_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "your-connector-name",
"connector.class": "io.aiven.connect.jdbc.JdbcSourceConnector",
"connection.url": "jdbc:{DATABASE_TYPE}://{HOST}:{PORT}/{DATABASE_NAME}?ssl=require",
"connection.user": "${vault:PATH/TO/SECRET:USERNAME}",
"connection.password": "${vault:PATH/TO/SECRET:PASSWORD}",
"incrementing.column.name": "id",
"mode": "incrementing",
"table.whitelist": "your-table",
"topic.prefix": "your-prefix_",
"auto.create": true
}'

Parameters:

  • PROJECT_NAME: Name of your Aiven project.
  • SERVICE_NAME: Name of your Aiven Kafka service.
  • name: Name of the connector.
  • connector.class: Specifies the connector class to use, in this case, io.aiven.connect.jdbc.JdbcSinkConnector.
  • connection.url: JDBC connection URL with placeholders for DATABASE_TYPE, HOST, PORT, DATABASE_NAME, and the username and password retrieved from HashiCorp Vault.
  • connection.user: Database username retrieved from HashiCorp Vault.
  • connection.password: Database password retrieved from HashiCorp Vault.
  • incrementing.column.name: Column used for incrementing mode.
  • mode: Mode of operation, in this case, incrementing.
  • table.whitelist: Tables to include.
  • topic.prefix: Prefix for Apache Kafka topics.
  • auto.create: If true, the connector automatically creates the table in the target database if it does not exist.