Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

No Inline Credentials in Connector Config

Connector spec.config must not embed raw passwords, JAAS strings, or AWS keys. Only ${secret:...} or ${vault:...} references.

“We can't ship a connector to prod with the database password sitting in the JSON — InfoSec blocks it every time.”

Rationale

Inline credentials in Connect configs are the #1 finding in PCI and SOC2 audits of Kafka deployments: configs are stored plaintext in the Connect REST API, surface in logs, and propagate via GitOps. The fix bans anything that looks like an inline secret in spec.config values and forces secret-provider references (${secret:...}, ${vault:...}, ${file:...}). This catches the common copy-paste-from-Stack-Overflow failure at admission time.

Pattern

no spec.config[v] containing password=, sasl.jaas.config raw value, or AKIA*

Examples

spec.config["connection.password"]: "${secret:db/payments-prod:password}"
spec.config["consumer.override.sasl.jaas.config"]: "${vault:kafka/payments:jaas}"
spec.config["connection.password"]: "hunter2"
spec.config["consumer.override.sasl.jaas.config"]: PlainLoginModule required username="app" password="hunter2"
spec.config["aws.access.key.id"]: "AKIAIOSFODNN7EXAMPLE"

Parameters

NameDefaultDescription
secret_prefixes ["${secret:","${vault:","${file:","${env:"] Allowed prefixes for any value that looks like a secret.
blocked_keys ["connection.password","consumer.override.sasl.jaas.config","producer.override.sasl.jaas.config","aws.secret.access.key"] Config keys that must use a secret reference.

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy
# Connector configs are flat strings — use bracket access for dotted keys.
# The rules ban: raw 'password=' in JAAS, AWS access keys, and any value on a
# sensitive key that does not start with a secret-provider prefix.
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: connector-no-inline-credentials
spec:
  targetKind: Connector
  description: Connector config must reference secrets via ${secret:...} / ${vault:...}
  rules:
    - condition: '!("connection.password" in spec.config) || spec.config["connection.password"].startsWith("${secret:") || spec.config["connection.password"].startsWith("${vault:") || spec.config["connection.password"].startsWith("${file:") || spec.config["connection.password"].startsWith("${env:")'
      errorMessage: "connection.password must be a secret reference (${secret:...}, ${vault:...}, ${file:...}, ${env:...}) — not an inline value"
    - condition: '!("consumer.override.sasl.jaas.config" in spec.config) || !spec.config["consumer.override.sasl.jaas.config"].contains("password=")'
      errorMessage: "consumer.override.sasl.jaas.config contains an inline password — use a secret-provider reference"
    - condition: '!("producer.override.sasl.jaas.config" in spec.config) || !spec.config["producer.override.sasl.jaas.config"].contains("password=")'
      errorMessage: "producer.override.sasl.jaas.config contains an inline password — use a secret-provider reference"
    - condition: '!("aws.secret.access.key" in spec.config) || spec.config["aws.secret.access.key"].startsWith("${")'
      errorMessage: "aws.secret.access.key must be a secret-provider reference, not an inline AWS key"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →