Manage secrets
By default, credentials for connecting to external services (like MySQL) are specified in plain text within the WITH
clause of CREATE SOURCE / SINK
statements. This practice poses security risks, particularly for large organizations where multiple teams manage connected services.
To address the issue, we recommend using the CREATE SECRET
command to store credentials securely. Admins can create secrets in advance, allowing other team members to reference them using secret identifiers when creating source/sink connections. This ensures that secrets remain protected throughout all phases of access.
RisingWave provides four key secret management operations:
- Creating secrets.
- Using secrets.
- Using secrets as a file.
- Dropping secrets.
In addition, you can use the rw_secrets catalog to view the ID, name, owner, and access control of secret objects.
PREMIUM EDITION FEATURE
This is a Premium Edition feature. All Premium Edition features are available out of the box without additional cost on RisingWave Cloud. For self-hosted deployments, users need to purchase a license key to access this feature. To purchase a license key, please contact sales team at sales@risingwave-labs.com.
For a full list of Premium Edition features, see RisingWave Premium Edition.
PUBLIC PREVIEW
This feature is currently in public preview, meaning it is nearing the final product but may not yet be fully stable. If you encounter any issues or have feedback, please reach out to us via our Slack channel. Your input is valuable in helping us improve this feature. For more details, see our Public Preview Feature List.
Create secrets
You can use the following statement to create secrets:
Syntax for creating secrets
Examples
Currently only the meta backend is supported.
Use secrets
After creating secrets, you can use SECRET your_secret_name
as the option value in the WITH
clause. For example:
Use a secret in the WITH clause
Use secrets as a file
Some connectors need credentials stored as file paths (e.g., ssl.ca.location
), where the file contains the secret. RisingWave allows you to reference a secret as a file path.
Reference a secret as a file path
Drop secrets
You can use the following statement to drop secrets:
Syntax for dropping secrets
Examples
Here is an example. We create a secret named mysql_pwd
, and then use it in the WITH
clause. After that, we use the SHOW CREATE SOURCE
command to view the password.
As shown in the result, the MySQL password is hidden, ensuring no secret leaks.
Notes for open-source deployment
To use secret management, you need to set the environment variable RW_SECRET_STORE_PRIVATE_KEY_HEX
to a hex representation of a 128-bit key (e.g. 0123456789abcdef
). This key is used to encrypt secrets in RisingWave. You MUST NOT lose this key, as it is required to decrypt secrets.
To specify the temporary secret file directory, set RW_TEMP_SECRET_FILE_DIR
. This is only used with the as file
option.
See also
- CREATE SECRET: Creating a secret.
- DROP SECRET: Dropping a secret.