Skip to main content
PREMIUM FEATUREThis is a premium feature. For a comprehensive overview of all premium features and their usage, please see RisingWave premium features.

Syntax

meta as backend
CREATE SECRET secret_name WITH ( backend = 'meta' ) AS 'your_secret';
hashicorp_vault as backend
CREATE SECRET secret_name
WITH (
  backend = 'hashicorp_vault',
  addr = '<Vault server address>',
  path = '<Vault KV path>',
  field = '<field_to_extract>',
  auth_method = '<token|approle>',
  -- For token authentication:
  auth_token = '<vault_token>',
  -- For approle authentication:
  auth_role_id = '<role_id>',
  auth_secret_id = '<secret_id>',
  tls_skip_verify = 'true'
) AS NULL;

Parameters

General

Parameter or ClauseDescription
secret_nameThe name of the secret to be created. This should be a unique identifier within the system.
backendSpecifies the backend where the secret will be stored. Supported backend options are hashicorp_vault (since v2.6.0) and meta.

meta as backend

Parameter or ClauseDescription
your_secretThe secret value that you wish to store securely.

hashicorp_vault as backend

Parameter or ClauseDescription
addrAddress of the Vault server (e.g., http://vault-server:8200).
pathPath to the secret in Vault KV store (e.g., secret/data/myapp/db). Fetch the secret JSON from a URL such as {addr}/v1/{path} and get the {field} from JSON.
fieldOptional. The field to extract from the secret (e.g., password).
auth_methodSpecify authentication methods. Supported methods are token (use Vault tokens for direct access) and approle (use role-based authentication for enhanced security).
auth_tokenVault token (for token auth)
auth_role_idRole ID (for AppRole auth)
auth_secret_idSecret ID (for AppRole auth)
tls_skip_verifyOptional. Disables TLS verification.
AS NULLThe AS clause has to be NULL.

Examples

meta as backend

We create a secret named mysql_pwd, and then use it in the WITH clause. After that, we use the SHOW CREATE SOURCE command to view the password. As shown in the result, the MySQL password is hidden, ensuring no secret leaks.
CREATE SECRET mysql_pwd WITH ( backend = 'meta' ) AS '123';
CREATE SOURCE mysql_source WITH (
 connector = 'mysql-cdc',
 hostname = 'localhost',
 port = '8306',
 username = 'rwcdc',
 password = secret mysql_pwd,
 database.name = 'test',
 server.id = '5601'
);
SHOW CREATE SOURCE mysql_source;

---RESULT
--- public.mysql_mydb | CREATE SOURCE mysql_mydb WITH (connector = 'mysql-cdc', hostname = 'mysql', port = '3306', username = 'root', password = secret mysql_pwd, database.name = 'mydb', server.id = '2') FORMAT PLAIN ENCODE JSON

hashicorp_vault as backend

Create the secret using token authentication:
CREATE SECRET vault_token_secret
WITH (
  backend = 'hashicorp_vault',
  addr = 'http://vault-server:8200',
  path = 'secret/data/myapp/db',
  field = 'password',
  auth_method = 'token',
  auth_token = 'root-token',
  tls_skip_verify = 'true'
) AS NULL;
Create the secret using AppRole authentication:
CREATE SECRET approle_kafka_user
WITH (
  backend = 'hashicorp_vault',
  addr = 'https://vault.example.com',
  path = 'secret/data/myapp/kafka',
  field = 'username',
  auth_method = 'approle',
  auth_role_id = '<your_role_id>',
  auth_secret_id = '<your_secret_id>'
) AS NULL;

See also

I