HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Confluent automatic secret rotation

Plus tier

This feature is available in HCP Vault Secrets Plus tier.

Confluent Cloud provides a programmatic way for developers to integrate with its managed Kafka services, enabling secure access to data streams and event-driven applications using API keys.

HCP Vault Secrets can automatically rotate Confluent Cloud API keys.

Prerequisites

  • Project level HCP service principal with a service principal key and the ability to create HCP Vault Secrets integrations, apps and secrets (for example via the contributor HCP built-in role)
  • Environment variables set for the HCP organization ID, project ID, application name, secret name, service principal client ID, and service principal client secret.
  • Access to the Confluent account.
  • A Confluent Cloud API Key ID and Secret created in your Confluent Console. (Refer to the Confluent Cloud API key documentation).
  • Resource scope should be Cloud resource management

Create a rotating secret

  1. Navigate to an application you would like to add a rotated secret to.

  2. Click Create new secret and select Auto-rotating secret. Create new rotating secret

  3. Enter a unique name for the auto-rotating secret in the Name field.

  4. Select the desired provider from the Provider pulldown menu.

  5. Click + Add new next to the Connection pulldown menu and enter the following: Setup new Confluent Integration

    • Connection Name: Provide a unique name for the connection.
    • Cloud API Key ID: The Cloud API Key ID for the Confluent. Enter the Cloud API Key ID found from the Confluent Console.
    • Cloud API Key Secret: The Cloud API Key Secret.
    • API Key must: Be associated with a service account that has the Organization Admin privilege and have the Cloud Resource Management scope.

  6. Click Save to return to the new secret form.

  7. User Account ID/Service Account ID : Enter the User account ID associated with the integration or Service account ID. View the service account

  8. Click the Rotation frequency pulldown menu and select the desired rotation frequency from the 3 options available - 30 days, 60 days, and 90 days.

  9. Click Save.

    The setup is complete and your first rotating secret has been created.

Delete a Confluent rotation integration

  1. Generate an OAuth token to authenticate with the HCP API.

  2. Delete an existing Confluent rotation integration.

    $ curl \
    --location "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/${HCP_ORG_ID}/projects/${HCP_PROJ_ID}/integrations/rotation/confluent/${INTEGRATION_NAME}" \
    --request DELETE \
    --header "Authorization: Bearer ${HCP_API_TOKEN}" | jq

Additional resources