A Vault plugin for generating credentials for Apache Kafka clients.

Generates a dynamic username and ACL that can be used to create a uniq SSL certificate for a Kafka client.

Use this in combination with the vault pki backend.

• Download the plugin to Vault's plugin directory.
• Register the plugin with Vault

  • vault write sys/plugins/catalog/vault-plugin-secrets-kafka \
      sha_256="$SHASUM" \
      command="vault-plugin-secrets-kafka"

• Enable the plugin mount

  • vault secrets enable -path=kafka -plugin-name=vault-plugin-secrets-kafka plugin

• Configure the plugin

  • vault write kafka/config/access address="localhost:9092" ca_certificate="$CA" client_certificate="$CERT" client_key="$PRIVATE_KEY"

  • The client must be capable of writing creating and deleting ACLs.

• Write a policy

  • {
      "acl": {
        "host": "*",
        "operation": "Read",
        "permission_type": "Allow"
      },
      "resource": {
        "type": "Topic",
        "name": "*",
        "pattern_type_filter": "any"
      }
    }

• Write the role

  • vault write kafka/roles/read-all-topics policy=$(cat bin/policy.json)

• Read the credentials, pick the username

  • vault read kafka/creds/read-all-topics

• Generate a SSL certificate for this client

  •   NAME=$(vault read -field=user kafka/creds/read-all-topics)
      DATA=$(vault write -format=json pki/issue/kafka-clients common_name="$NAME" ttl=$TTL | jq -r .data)
      printf "%s" "$DATA" | jq -r .private_key > private.key
      printf "%s" "$DATA" | jq -r .certificate > client.cert
      printf "%s" "$DATA" | jq -r .issuing_ca  > ca.cert