AuthScheme
Specifies the authentication scheme that the provider uses when connecting to the Apache Kafka broker.
Possible Values
None, Plain, SCRAM, SCRAM-SHA-512, Kerberos, SSLCertificate, KafkaOAuthClient, AzureAD, AzureMSI, AzureServicePrincipal, AzureServicePrincipalCert, OAuthJWT, GCPInstanceAccount, AWSWorkloadIdentity, AzureWorkloadIdentityData Type
string
Default Value
"None"
Remarks
Authentication requirements vary by Kafka deployment. The provider supports several authentication schemes used by self-managed Kafka clusters, cloud-managed Kafka services, and Schema Registry environments. The schemes listed below determine how the provider obtains credentials and establishes a secure connection to the broker.
Supported schemes for Apache Kafka:
| Scheme | Description |
| None | Connects without authentication. No credentials are required. |
| Plain | Authenticates using a plain text login module. Requires User and Password. |
| SCRAM | Authenticates using a SCRAM login module with SHA-256 hashing. |
| SCRAM-SHA-512 | Authenticates using a SCRAM login module with SHA-512 hashing. |
| Kerberos | Use Kerberos authentication. Requires a Kerberos configuration file and relevant Kerberos properties. |
| SSLCertificate | Authenticates using an SSL client certificate. |
| KafkaOAuthClient | Authenticates using Kafka's native OpenID Connect (KIP-768) authentication with the client credentials grant type. Note: This does not use the provider's built-in support for OAuth like the Azure and OAuthJWT authentication methods do. Only the OAuthClientId, OAuthClientSecret, OAuthAccessTokenURL, and Scope properties have any effect on the behavior of this scheme. Use ConsumerProperties and ProducerProperties to provide advanced configuration. |
| AzureAD | Authenticates using Azure Active Directory OAuth. |
| AzureMSI | Obtains Managed Service Identity credentials automatically when running on an Azure VM. |
| AzureServicePrincipal | Authenticates as an Azure Service Principal using a client secret. |
| AzureServicePrincipalCert | Authenticates as an Azure Service Principal using a certificate. |
| OAuthJWT | Authenticates using an OAuth service account with JWT-based credential flow. |
| GCPInstanceAccount | Authenticates using an access token obtained from a Google Cloud instance. |
| AWSWorkloadIdentity | Authenticates using AWS Workload Identity Federation. |
Schemes for authenticating to Azure Event Hubs:
| AzureAD | Authenticates using Azure Active Directory OAuth. |
| AzureMSI | Obtains Managed Service Identity credentials automatically when running on an Azure VM. |
| AzureServicePrincipal | Authenticates as an Azure Service Principal using a client secret. |
| AzureServicePrincipalCert | Authenticates as an Azure Service Principal using a certificate. |
Schemes for authenticating to GMS Kafka:
| OAuthJWT | Authenticates using an OAuth service account. |
| GCPInstanceAccount | Authenticates using a Google Cloud instance account. |
| AWSWorkloadIdentity | Authenticates using AWS Workload Identity Federation. GMS Kafka does not allow external principals to authenticate directly, so you must delegate authentication to a service account using the RequestingServiceAccount property. |