Decodes values encoded with AES-256 to enable passing encrypted values to connectors.
Add the plugin to the worker classloader isolation via the plugin.path option:
plugin.path=/usr/share/connectors,/opt/secret-providers
The provider gets AES-256 encrypted value as a key and simply decrypts it to get the value (instead of e.g. looking up for the value somewhere).
The AES-256 encryption used for the value needs to be prefixed with base64 encoded initialisation vector and a space character, the encrypted value is also base64 encoded. So to corretly encrypt value1 I need to follow following steps:
value1
encrypted-bytes
encrypted-base64
initialisation-vector
iv-base64
encrypted-value
The plugin needs to be configured with secret key that will be used for decoding. The key is a string and needs to have size of 32 bytes (UTF-8 encoded).
Example worker properties file:
config.providers=aes256 config.providers.aes256.class=io.lenses.connect.secrets.providers.Aes256DecodingProvider config.providers.aes256.param.aes256.key=aaaaaaaaaabbbbbbbbbbccccccccccdd config.providers.aes256.param.file.dir=/tmp/aes256
To use this provider in a connector, reference the keyvault containing the secret and the key name for the value of the connector property.
The indirect reference is in the form ${provider:path:key} where:
For example, if hello aes-256 encrypted using some key equals to xyxyxy - then if I configure connector to use ${aes256::xyxyxy} for a parameter value, the value should be substituted with “hello” string:
hello
xyxyxy
${aes256::xyxyxy}
name=my-sink class=my-class topics=mytopic greeting=${aes256::xyxyxy}
This would resolve at runtime to:
name=my-sink class=my-class topics=mytopic greeting=hello
path belonging to key reference is used to specify encoding used to pass the value. The provider supports following encodings:
path
The UTF8 means the value returned is the decrypted value of the encrypted value (key). The BASE64 means the value returned is the base64 decoded decrypted value of the encrypted value (key).
If the value for the encoding is UTF8_FILE the string contents are written to a file. The name of the file will be randomply generated. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.
If the value for the encoding is BASE64_FILE the string contents are based64 decoded and written to a file. The name of the file will be randomply generated. For example, if a connector needs a PEM file on disk, set this as the path as BASE64_FILE. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.
If the key reference path is not set or is set to unknown value - utf8 encoding is used as default.
For example, if we want to save hi there ! to the file, and aes-256 encrypted content equals xyxyxy - then if I configure connector to use ${aes256:utf8_file:xyxyxy} for a parameter value, the provider will create new file with random name (abc-def-ghi) and store hi there ! to the file. If configured store directory is /store-root, he value will be substituted with /store-root/secrets/abc-def-ghi string:
hi there !
${aes256:utf8_file:xyxyxy}
abc-def-ghi
/store-root
/store-root/secrets/abc-def-ghi
name=my-sink class=my-class topics=mytopic greeting=${aes256:utf8_file:xyxyxy}
resolves to
name=my-sink class=my-class topics=mytopic greeting=/store-root/secrets/abc-def-ghi
On this page
