Skip to content

Command based secret provider

If none of the supported secrets provider fits your use case, Zoe provides a generic secrets provider that delegates secrets deciphering to a custom command.

You can use this provider by adding the following to your zoe config:

secrets:
  provider: exec
  command: [ "command", "{secretName}" ]
  timeoutMs: 30000  # default is: 60000

This provider catches all secrets in your configuration properties that are in the format: secret:SECRET_NAME or secret:CONTEXT:SECRET_NAME and allows you to use the captured SECRENT_NAME and CONTEXT fields in your command by using the {secretName} and {context} pattern (cf. The example above).

Example

Suppose you have the following configuration:

secrets:
    provider: exec
    command: [ "/fetch-secret.sh", "{context}", "{secretName}" ]

clusters:

  my-kafka-cluster:
    props:
      bootstrap.servers: my-kafka-cluster-staging.example.com:9092
      security.protocol: SASL_SSL
      sasl.mechanism: SCRAM-SHA-256
      sasl.jaas.config: secret:pro:JAAS_CONFIG

When using the zoe -c my-kafka-cluster consume topics -n 10, zoe will detect the secret:pro:JAAS_CONFIG string and tries to replace with the output of the following command:

/fetch-secret.sh "PRO" "JAAS_CONFIG"