Create Credentials

Copy-paste examples of how to create credentials with SQL

Several authentication schemes across multiple providers are supported. For a detailed overview of all of the provider-specific options, see the SQL documentation.

Azure

Password
1
2
3
4
CREATE CREDENTIAL azure_cred
TYPE = 'azure_storage_key',
IDENTITY = 'sampleacc',
SECRET = 'foobaz123'
SAS Token
1
2
3
4
CREATE CREDENTIAL azure_cred
TYPE = 'azure_sas',
IDENTITY = 'sampleacc',
SECRET = 'sv=2015-07-08&sr=b&sig=39Up0JzHkxhUlhFEjEH9673DJxe7w6...'
Active Directory
1
2
3
4
5
6
7
8
9
CREATE CREDENTIAL azure_cred
TYPE = 'azure_ad',
IDENTITY = 'jdoe',
SECRET = 'foobaz123'
WITH OPTIONS
(
    STORAGE ACCOUNT NAME = 'sampleacc',
    TENANT ID = 'x0xxx10-00x0-0x01-0xxx-x0x0x01xx100'
)

GCS

User ID & Key
1
2
3
4
CREATE CREDENTIAL gcs_cred
TYPE = 'gcs_service_account_id',
IDENTITY = 'auser@auser.iam.gserviceaccount.com',
SECRET = '-----BEGIN PRIVATE KEY-----\nABCDEFG=\n-----END PRIVATE KEY-----\n'
JSON Key
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
CREATE CREDENTIAL gcs_cred
TYPE = 'gcs_service_account_keys'
WITH OPTIONS
(
      GCS_SERVICE_ACCOUNT_KEYS = '
      {
            "type": "service_account",
            "project_id": "auser",
            "private_key_id": "abcdef1234567890",
            "private_key": "-----BEGIN PRIVATE KEY-----\nABCDEFG=\n-----END PRIVATE KEY-----\n",
            "client_email": "auser@auser.iam.gserviceaccount.com",
            "client_id": "1234567890",
            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
            "token_uri": "https://oauth2.googleapis.com/token",
            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
            "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/auser%40auser.iam.gserviceaccount.com"
      }'
)

HDFS

Password
1
2
3
4
CREATE CREDENTIAL hdfs_cred
TYPE = 'hdfs',
IDENTITY = 'jdoe',
SECRET = 'foobaz123'
Kerberos Keytab
1
2
3
4
5
6
7
CREATE CREDENTIAL hdfs_cred
TYPE = 'hdfs',
IDENTITY = 'jdoe'
WITH OPTIONS
(
    KERBEROS KEYTAB = 'kifs://<keytab file path>'
)
Kerberos Token
1
2
3
4
5
6
7
CREATE CREDENTIAL hdfs_cred
TYPE = 'hdfs',
IDENTITY = 'jdoe'
WITH OPTIONS
(
    USE KERBEROS = 'true'
)

JDBC

Password
1
2
3
4
CREATE CREDENTIAL jdbc_cred
TYPE = 'jdbc',
IDENTITY = 'auser',
SECRET = 'Passw0rd!'

Kafka (Apache)

Password
1
2
3
4
CREATE CREDENTIAL kafka_cred
TYPE = 'kafka',
IDENTITY = 'jdoe',
SECRET = 'foobaz123'
SSL with Truststore
1
2
3
4
5
6
7
CREATE CREDENTIAL kafka_cred
TYPE = 'kafka'
WITH OPTIONS
(
    'security.protocol' = 'SSL',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt'
)
SSL with Truststore/Client Auth
1
2
3
4
5
6
7
8
CREATE CREDENTIAL kafka_cred
TYPE = 'kafka'
WITH OPTIONS
(
    'security.protocol' = 'SSL',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt',
    'ssl.certificate.location' = 'kifs://ssl/client.pem'
)
SSL with Encryption
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
CREATE CREDENTIAL kafka_cred
TYPE = 'kafka'
WITH OPTIONS
(
    'security.protocol' = 'SSL',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt',
    'ssl.certificate.location' = 'kifs://ssl/client.pem',
    'ssl.key.location' = 'kifs://ssl/client.key',
    'ssl.key.password' = 'foobaz123'
)
Kerberos
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
CREATE CREDENTIAL kafka_cred
TYPE = 'kafka'
WITH OPTIONS
(
    'security.protocol' = 'SASL_PLAINTEXT',
    'sasl.mechanism' = 'GSSAPI',
    'sasl.kerberos.service.name' = 'kafka',
    'sasl.kerberos.keytab' = 'kifs://security/jdoe.keytab',
    'sasl.kerberos.principal' = 'jdoe@example.com'
)
Kerberos SSL
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
CREATE CREDENTIAL kafka_cred
TYPE = 'kafka'
WITH OPTIONS
(
    'security.protocol' = 'SASL_SSL',
    'sasl.mechanism' = 'GSSAPI',
    'sasl.kerberos.service.name' = 'kafka',
    'sasl.kerberos.keytab' = 'kifs://security/jdoe.keytab',
    'sasl.kerberos.principal' = 'jdoe@example.com',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt',
    'ssl.certificate.location' = 'kifs://ssl/client.pem',
    'ssl.key.location' = 'kifs://ssl/client.key',
    'ssl.key.password' = 'foobaz123'
)

Kafka (Confluent)

Password
1
2
3
4
CREATE CREDENTIAL confluent_cred
TYPE = 'confluent',
IDENTITY = 'jdoe',
SECRET = 'foobaz123'
SSL with Truststore
1
2
3
4
5
6
7
CREATE CREDENTIAL confluent_cred
TYPE = 'confluent'
WITH OPTIONS
(
    'security.protocol' = 'SSL',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt'
)
SSL with Truststore/Client Auth
1
2
3
4
5
6
7
8
CREATE CREDENTIAL confluent_cred
TYPE = 'confluent'
WITH OPTIONS
(
    'security.protocol' = 'SSL',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt',
    'ssl.certificate.location' = 'kifs://ssl/client.pem'
)
SSL with Encryption
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
CREATE CREDENTIAL confluent_cred
TYPE = 'confluent'
WITH OPTIONS
(
    'security.protocol' = 'SSL',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt',
    'ssl.certificate.location' = 'kifs://ssl/client.pem',
    'ssl.key.location' = 'kifs://ssl/client.key',
    'ssl.key.password' = 'foobaz123'
)
Kerberos
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
CREATE CREDENTIAL confluent_cred
TYPE = 'confluent'
WITH OPTIONS
(
    'security.protocol' = 'SASL_PLAINTEXT',
    'sasl.mechanism' = 'GSSAPI',
    'sasl.kerberos.service.name' = 'kafka',
    'sasl.kerberos.keytab' = 'kifs://security/jdoe.keytab',
    'sasl.kerberos.principal' = 'jdoe@example.com'
)
Kerberos SSL
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
CREATE CREDENTIAL confluent_cred
TYPE = 'confluent'
WITH OPTIONS
(
    'security.protocol' = 'SASL_SSL',
    'sasl.mechanism' = 'GSSAPI',
    'sasl.kerberos.service.name' = 'kafka',
    'sasl.kerberos.keytab' = 'kifs://security/jdoe.keytab',
    'sasl.kerberos.principal' = 'jdoe@example.com',
    'ssl.ca.location' = 'kifs://ssl/ca-bundle.crt',
    'ssl.certificate.location' = 'kifs://ssl/client.pem',
    'ssl.key.location' = 'kifs://ssl/client.key',
    'ssl.key.password' = 'foobaz123'
)

S3 (Amazon)

S3 Access Key
1
2
3
4
CREATE CREDENTIAL s3_cred
TYPE = 'aws_access_key',
IDENTITY = 'AKIAIOSFODNN7EXAMPLE',
SECRET = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
IAM Role
1
2
3
4
5
6
7
8
CREATE CREDENTIAL s3_cred
TYPE = 'aws_iam_role',
IDENTITY = 'AKIAIOSFODNN7EXAMPLE',
SECRET = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
WITH OPTIONS
(
    S3_AWS_ROLE_ARN = 'arn:aws:iam::123456789012:user/JohnDoe'
)