KIP-297 — Externalizing Secrets for Connect Configurations
Accepted Kafka 2.0 ConnectSecurity
Introduces a ConfigProvider SPI for Kafka Connect that resolves ${provider:path:key} placeholders in connector configs from external secret stores like Vault, AWS Secrets Manager, or Kubernetes Secrets. Connector configurations containing passwords and credentials were stored in plaintext in Connect's internal config topic, accessible to anyone with Read permission on that topic.
Details
| Author | Robert Yokota |
| Status | Accepted |
| Kafka Version | 2.0 |
| JIRA | KAFKA-6886 |
| Wiki | View on Apache Wiki |
| Created | 2018-05-07 |
| Last Modified | 2018-08-28 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.