By default, credentials for connecting to external services (like MySQL) are specified in plain text within the WITH
clause of CREATE SOURCE / SINK
statements. This practice poses security risks, particularly for large organizations where multiple teams manage connected services.
CREATE SECRET
command to store credentials securely. Admins can create secrets in advance, allowing other team members to reference them using secret identifiers when creating source/sink connections. This ensures that secrets remain protected throughout all phases of access.
RisingWave provides four key secret management operations:
SECRET your_secret_name
as the option value in the WITH
clause. For example:
Use a secret in the WITH clause
ssl.ca.location
), where the file contains the secret. RisingWave allows you to reference a secret as a file path.
Reference a secret as a file path
mysql_pwd
, and then use it in the WITH
clause. After that, we use the SHOW CREATE SOURCE
command to view the password.
RW_SECRET_STORE_PRIVATE_KEY_HEX
to a hex representation of a 128-bit key (e.g. 0123456789abcdef
). This key is used to encrypt secrets in RisingWave. You MUST NOT lose this key, as it is required to decrypt secrets.
To specify the temporary secret file directory, set RW_TEMP_SECRET_FILE_DIR
. This is only used with the as file
option.