Type-Specific Parameters

Some authentication types require additional parameters, as follows.

AzureClientSecret

For AzureClientSecret, you must provide the following credential values for your Azure App registration.

Credential Description
TenantId Azure Active Directory (AD) tenant ID associated with your subscription.
ClientId Client ID of an Azure AD application that has access to the Schema Registry, Storage Provider, or Event Hubs Namespace.
ClientSecret Client secret for the Azure AD application specified by the ClientId value.
Example Configuration

The following is an example "Authentication" configuration for the AzureClientSecret type.

"Authentication" : {
   "Type" : "AzureClientSecret",
   "TenantId" : "99998888-ffff-7777-eeee-6666dddd5555",
   "ClientId" : "00001111-aaaa-2222-bbbb-3333cccc4444",
   "ClientSecret" : "abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEFGHIJKLMNOP==" }
AzureEnvironment

For AzureEnvironment, the same credential values as those in the previous table under "AzureClientSecret" are used but they are read from fixed environment variables, as follows.

Fixed Environment Variable Description
AZURE_TENANT_ID Azure Active Directory (AD) tenant ID.
AZURE_CLIENT_ID Client ID of the Azure AD application.
AZURE_CLIENT_SECRET Client secret for the Azure AD application.
AzureManagedIdentity

For AzureManagedIdentity, no additional credential values are required in the configuration file but it does require configuring in Azure.

When the Event Streaming Producer is hosted on an Azure Windows virtual machine (VM), AzureManagedIdentity authentication is available to an Event Hubs environment. For more details, see the following URL.

https://learn.microsoft.com/en-us/azure/event-hubs/authenticate-managed-identity
Event Hub and Schema Registry Requirements

Add the Event Hubs Data Owner role to Azure VM System Identity for the <example‑eventhub‑namespace> Event Hubs namespace.

Azure Blob Storage Requirements

Add the Storage Blob Data Contributor role to Azure VM System Identity for the <example‑blob‑storage> Storage account.

ConnectionString

For ConnectionString, you must provide the Connection String value.

Example Configuration

The following is an example "Authentication" configuration for the ConnectionString type.

"Authentication" : {
   "Type" : "ConnectionString",
   "ConnectionString" : "Endpoint=sb://myeventhubs.servicebus.windows.net/;
                        SharedAccessKeyName=RootManageSharedAccessKey;
                        SharedAccessKey=abc123..." } 
SharedAccessKey

For SharedAccessKey, you must provide the values listed in the following table.

Value Description
PolicyName The name you have created in Azure for the Shared Access Policy.
Key The primary or secondary key generated by Azure for this policy.

SharedAccessKey authentication is not supported for AzureSchemaRegistry.

Example Configuration

The following is an example "Authentication" configuration for the SharedAccessKey type.

"Authentication" : {
   "Type" : "SharedAccessKey",
   "PolicyName" : "MyEventHubPolicy",
   "Key" : "abc123" }
ApiKey

For ApiKey, you must provide the values listed in the following table.

Value Description
ApiKeyName API key name or ID.
ApiKeyValue Secret associated with the API key.

This type is primarily used for development purposes in a Confluent Cloud Kafka environment and is not recommended for production environments.

Example Configuration

The following is an example "Authentication" configuration for the ApiKey type.

"Authentication" : {
   "Type" : "ApiKey",
   "ApiKeyName" : "1234567890",
   "ApiKeyValue" : "ABCDEFEGGHIJKLMNOPQRSTUVWXYZ1234567890+"}
ConfluentOAuth2

The ConfluentOAuth2 type using an Azure Active Directory (AD) identity provider uses similar settings to the AzureClientSecret along with three additional credentials as listed in the following table.

Credential Description
TenantId AzureAD tenant ID associated with your subscription.
ClientId Client ID of an Azure AD application that has access to the Schema Registry.
ClientSecret Client secret for the Azure AD application specified by the ClientId value.
Scope Specifies the extent or context of the Authentication request. For Confluent, specify the URL of the Confluent environment.
IdentityPool

Specifies which identity pool is associated with the SchemaRegistry. This must have been configured in Confluent and associated with the Azure‑based identity provider being used. This setting is required only if using the Confluent SchemaRegistry.

TargetCluster

Specifies the SchemaRegistry Cluster that is configured to be used on Confluent. Note that this is different from the Kafka cluster. This setting is required only if using the Confluent SchemaRegistry.

Contact Jade Support for additional guidelines about setting up the ConfluentOAuth2 authentication type, if required.

Example Configuration

The following is an example "Authentication" configuration for the ConfluentOAuth2 type.

"Authentication" : {
   "Type" : "ConfluentOAuth2",
   "TenantId" : my-tenant-id",
   "ClientId" : "my-client-id",
   "ClientSecret" : "my-client-secret",
   "Scope" : "<https://<cluster‑id>.<region>.confluent.cloud/>",
   "IdentityPool" : "pool-xxxxx",
   "TargetCluster" : "lsrc-yyyyyy" }