To address the issue, we recommend using the CREATE SECRET command to store credentials securely. Admins can create secrets in advance, allowing other team members to reference them using secret identifiers when creating source/sink connections. This ensures that secrets remain protected throughout all phases of access.

RisingWave provides four key secret management operations:

  • Creating secrets.
  • Using secrets.
  • Using secrets as a file.
  • Dropping secrets.

In addition, you can use the rw_secrets catalog to view the ID, name, owner, and access control of secret objects.

PREMIUM EDITION FEATURE

This is a Premium Edition feature. All Premium Edition features are available out of the box without additional cost on RisingWave Cloud. For self-hosted deployments, users need to purchase a license key to access this feature. To purchase a license key, please contact sales team at sales@risingwave-labs.com.

For a full list of Premium Edition features, see RisingWave Premium Edition.

Create secrets

You can use the following statement to create secrets:

Syntax for creating secrets

CREATE SECRET secret_name WITH ( backend = 'meta') AS 'your_secret';

Examples

CREATE SECRET mysql_pwd WITH (
  backend = 'meta'
) AS '123';

Currently only the meta backend is supported.

Use secrets

After creating secrets, you can use SECRET your_secret_name as the option value in the WITH clause. For example:

Use a secret in the WITH clause

CREATE SECRET mysql_pwd WITH (
  backend = 'meta'
) AS '123';

CREATE SOURCE mysql_source WITH (
connector = 'mysql-cdc',
hostname = 'localhost',
port = '8306',
username = 'rwcdc',
password = secret mysql_pwd,
database.name = 'test',
server.id = '5601'
);

Use secrets as a file

Some connectors need credentials stored as file paths (e.g., ssl.ca.location), where the file contains the secret. RisingWave allows you to reference a secret as a file path.

Reference a secret as a file path

CREATE TABLE district (
    d_id INTEGER,
    PRIMARY KEY (d_id)
) with (
    connector = 'kafka',
    topic = 'your-topic',
    properties.bootstrap.server = 'your-broker-address:29092',
    ssl.ca.location = SECRET kafka_ca AS FILE,
    ssl.certificate.location = SECRET kafka_cert AS FILE,
    ssl.key.location = SECRET kafka_key AS FILE,
    ssl.key.password = SECRET kafka_password,
) FORMAT DEBEZIUM ENCODE JSON;

Drop secrets

You can use the following statement to drop secrets:

Syntax for dropping secrets

DROP SECRET secret_name;

Examples

Here is an example. We create a secret named mysql_pwd, and then use it in the WITH clause. After that, we use the SHOW CREATE SOURCE command to view the password.

CREATE SECRET mysql_pwd WITH ( backend = 'meta' ) AS '123';

CREATE SOURCE mysql_source WITH (
 connector = 'mysql-cdc',
 hostname = 'localhost',
 port = '8306',
 username = 'rwcdc',
 password = secret mysql_pwd,
 database.name = 'test',
 server.id = '5601'
);

SHOW CREATE SOURCE mysql_source;

---RESULT
--- public.mysql_mydb | CREATE SOURCE mysql_mydb WITH (connector = 'mysql-cdc', hostname = 'mysql', port = '3306', username = 'root', password = secret mysql_pwd, database.name = 'mydb', server.id = '2') FORMAT PLAIN ENCODE JSON

As shown in the result, the MySQL password is hidden, ensuring no secret leaks.

Notes for open-source deployment

To use secret management, you need to set the environment variable RW_SECRET_STORE_PRIVATE_KEY_HEX to a hex representation of a 128-bit key (e.g. 0123456789abcdef). This key is used to encrypt secrets in RisingWave. You MUST NOT lose this key, as it is required to decrypt secrets.

To specify the temporary secret file directory, set RW_TEMP_SECRET_FILE_DIR. This is only used with the as file option.

See also