Secret Management in RisingWave

Secret Management in RisingWave

2 min read

As data security becomes increasingly important, companies are looking for ways to improve their data access control. One area of concern is the storage of sensitive credentials, such as passwords and API keys.

In previous versions of RisingWave, users had to store credentials in plain text within DDL statements. This approach can be a security risk, especially for enterprise customers who require more robust security measures.

To address this issue, we've introduced secret management in RisingWave v2.0. This feature allows users to define secrets to store credentials securely. Once defined, these secrets can be used in the same way as variables, making it easier to manage sensitive information.

Please note that secret management is a Premium feature, which means you'll need to purchase a license to use it. For more information on RisingWave Premium, including pricing and features, check out our detailed guide: Everything You Want to Know about RisingWave Premium.

Creating secrets

After a Premium license is configured, users can create secrets to store credentials like passwords and API keys, for example:

CREATE SECRET pg_psw WITH (backend='meta') AS '123456';

Secrets will be stored in a vault on the meta node. Currently, meta is the only supported backend.

Using secrets for connecting to sources or sinks

After secrets are created, users in the same RisingWave instance can reference them when creating sources, tables, or sinks, for example:

CREATE SOURCE pg_mydb WITH (
    connector = 'postgres-cdc',
    hostname = '127.0.0.1',
    port = '5432',
    username = 'root',
    password = secret pg_psw,
    database.name = 'mydb',
    slot.name = 'mydb_slot'
);

Managing secrets with data security policies

In many organizations, data security policies require regular updates to sensitive information, such as passwords. For example, a policy might dictate that passwords be updated every 30 days. To comply with these policies, you can update secrets in RisingWave by dropping the existing secret and recreating it with the new password. Note that we currently don't support altering existing secrets with a single command (e.g., ALTER PASSWORD), but this feature is on our roadmap for future development.

What’s next?

We're committed to continuing to enhance RisingWave with more features and improved secret management capabilities. Your feedback is invaluable in shaping our roadmap, so please don't hesitate to reach out to us with your thoughts and suggestions.

To stay informed about the latest developments at RisingWave, subscribe to our monthly newsletter. You can also follow us on Twitter and LinkedIn, or join our Slack community to connect with our engineers and a community of streaming enthusiasts.

The Modern Backbone for Your
Event-Driven Infrastructure
GitHubXLinkedInSlackYouTube
Sign up for our to stay updated.