Manage secrets
By default, credentials for connecting to external services (like MySQL) are specified in plain text within the WITH
clause of CREATE SOURCE / SINK
statements. This practice poses security risks, particularly for large organizations where multiple teams manage connected services.
To address the issue, we recommend using the CREATE SECRET
command to store credentials securely. Admins can create secrets in advance, allowing other team members to reference them using secret identifiers when creating source/sink connections. This ensures that secrets remain protected throughout all phases of access.
RisingWave provides four key secret management operations:
- Creating secrets.
- Using secrets.
- Using secrets as a file.
- Dropping secrets.
In addition, you can use the rw_secrets catalog to view the ID, name, owner, and access control of secret objects.
PREMIUM EDITION FEATURE
This feature is exclusive to RisingWave Premium Edition that offers advanced capabilities beyond the free versions. For a full list of premium features, see RisingWave Premium Edition. If you encounter any questions, please contact sales team at sales@risingwave-labs.com.
PUBLIC PREVIEW
This feature is in the public preview stage, meaning it’s nearing the final product but is not yet fully stable. If you encounter any issues or have feedback, please contact us through our Slack channel. Your input is valuable in helping us improve the feature. For more information, see our Public preview feature list.
Create secrets
You can use the following statement to create secrets:
Syntax for creating secrets
Examples
Currently only the meta backend is supported.
Use secrets
After creating secrets, you can use SECRET your_secret_name
as the option value in the WITH
clause. For example:
Use a secret in the WITH clause
Use secrets as a file
Some connectors need credentials stored as file paths (e.g., ssl.ca.location
), where the file contains the secret. RisingWave allows you to reference a secret as a file path.
Reference a secret as a file path
Drop secrets
You can use the following statement to drop secrets:
Syntax for dropping secrets
Examples
Here is an example. We create a secret named mysql_pwd
, and then use it in the WITH
clause. After that, we use the SHOW CREATE SOURCE
command to view the password.
As shown in the result, the MySQL password is hidden, ensuring no secret leaks.
Notes for open-source deployment
To use secret management, you need to set the environment variable RW_SECRET_STORE_PRIVATE_KEY_HEX
to a hex representation of a 128-bit key (e.g. 0123456789abcdef
). This key is used to encrypt secrets in RisingWave. You MUST NOT lose this key, as it is required to decrypt secrets.
To specify the temporary secret file directory, set RW_TEMP_SECRET_FILE_DIR
. This is only used with the as file
option.
See also
- CREATE SECRET: Creating a secret.
- DROP SECRET: Dropping a secret.
Was this page helpful?