Type-Specific Parameters
Some authentication types require additional parameters, as follows.
AzureClientSecret
For AzureClientSecret, you must provide the following credential values for your Azure App registration.
Credential | Description |
---|---|
TenantId | Azure Active Directory (AD) tenant ID associated with your subscription. |
ClientId | Client ID of an Azure AD application that has access to the Schema Registry, Storage Provider, or Event Hubs Namespace. |
ClientSecret | Client secret for the Azure AD application specified by the ClientId value. |
Example Configuration
The following is an example "Authentication" configuration for the AzureClientSecret type.
"Authentication" : { "Type" : "AzureClientSecret", "TenantId" : "99998888-ffff-7777-eeee-6666dddd5555", "ClientId" : "00001111-aaaa-2222-bbbb-3333cccc4444", "ClientSecret" : "abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEFGHIJKLMNOP==" }
AzureEnvironment
For AzureEnvironment, the same credential values as those in the previous table under "AzureClientSecret" are used but they are read from fixed environment variables, as follows.
Fixed Environment Variable | Description |
---|---|
AZURE_TENANT_ID | Azure Active Directory (AD) tenant ID. |
AZURE_CLIENT_ID | Client ID of the Azure AD application. |
AZURE_CLIENT_SECRET | Client secret for the Azure AD application. |
AzureManagedIdentity
For AzureManagedIdentity, no additional credential values are required in the configuration file but it does require configuring in Azure.
When the Event Streaming Producer is hosted on an Azure Windows virtual machine (VM), AzureManagedIdentity authentication is available to an Event Hubs environment. For more details, see the following URL.
https://learn.microsoft.com/en-us/azure/event-hubs/authenticate-managed-identity
Event Hub and Schema Registry Requirements
Add the Event Hubs Data Owner role to Azure VM System Identity for the <example‑eventhub‑namespace> Event Hubs namespace.
Azure Blob Storage Requirements
Add the Storage Blob Data Contributor role to Azure VM System Identity for the <example‑blob‑storage> Storage account.
ConnectionString
For ConnectionString, you must provide the Connection String value.
Example Configuration
The following is an example "Authentication" configuration for the ConnectionString type.
"Authentication" : { "Type" : "ConnectionString", "ConnectionString" : "Endpoint=sb://myeventhubs.servicebus.windows.net/; SharedAccessKeyName=RootManageSharedAccessKey; SharedAccessKey=abc123..." }
SharedAccessKey
For SharedAccessKey, you must provide the values listed in the following table.
Value | Description |
---|---|
PolicyName | The name you have created in Azure for the Shared Access Policy. |
Key | The primary or secondary key generated by Azure for this policy. |
SharedAccessKey authentication is not supported for AzureSchemaRegistry.
Example Configuration
The following is an example "Authentication" configuration for the SharedAccessKey type.
"Authentication" : { "Type" : "SharedAccessKey", "PolicyName" : "MyEventHubPolicy", "Key" : "abc123" }
ApiKey
For ApiKey, you must provide the values listed in the following table.
Value | Description |
---|---|
ApiKeyName | API key name or ID. |
ApiKeyValue | Secret associated with the API key. |
This type is primarily used for development purposes in a Confluent Cloud Kafka environment and is not recommended for production environments.
Example Configuration
The following is an example "Authentication" configuration for the ApiKey type.
"Authentication" : { "Type" : "ApiKey", "ApiKeyName" : "1234567890", "ApiKeyValue" : "ABCDEFEGGHIJKLMNOPQRSTUVWXYZ1234567890+"}
ConfluentOAuth2
The ConfluentOAuth2 type using an Azure Active Directory (AD) identity provider uses similar settings to the AzureClientSecret along with three additional credentials as listed in the following table.
Credential | Description |
---|---|
TenantId | AzureAD tenant ID associated with your subscription. |
ClientId | Client ID of an Azure AD application that has access to the Schema Registry. |
ClientSecret | Client secret for the Azure AD application specified by the ClientId value. |
Scope | Specifies the extent or context of the Authentication request. For Confluent, specify the URL of the Confluent environment. |
IdentityPool |
Specifies which identity pool is associated with the SchemaRegistry. This must have been configured in Confluent and associated with the Azure‑based identity provider being used. This setting is required only if using the Confluent SchemaRegistry. |
TargetCluster |
Specifies the SchemaRegistry Cluster that is configured to be used on Confluent. Note that this is different from the Kafka cluster. This setting is required only if using the Confluent SchemaRegistry. |
Contact Jade Support for additional guidelines about setting up the ConfluentOAuth2 authentication type, if required.
Example Configuration
The following is an example "Authentication" configuration for the ConfluentOAuth2 type.
"Authentication" : { "Type" : "ConfluentOAuth2", "TenantId" : my-tenant-id", "ClientId" : "my-client-id", "ClientSecret" : "my-client-secret", "Scope" : "<https://<cluster‑id>.<region>.confluent.cloud/>", "IdentityPool" : "pool-xxxxx", "TargetCluster" : "lsrc-yyyyyy" }