Configure and reference a key - Realtime Compute for Apache Flink

You can configure a key to avoid security risks that are caused by plaintext AccessKey pairs. You can use a key when you create an SQL deployment, a script, or a catalog. You can also use a key when you configure parameters in the Logging section of the Configuration tab or the Deployment Defaults tab. This topic describes how to configure and reference a key.

Prerequisites

Your account has permissions of the editor or owner role in the current namespace for key management. For more information about how to authorize an account to perform operations in a namespace, see Authorize an account to perform operations in a namespace.

Limits

You can only add and delete keys. You cannot view or change the values of keys.
You cannot specify multiple values for a key.
You can reference keys only in the WITH clause of the CREATE TEMPORARY TABLE statement. If you reference keys in the WITH clause of the CREATE TABLE statement, the table that you create cannot be used.

Precautions

If you delete an existing key, the SQL draft that you develop may fail to be deployed or you need to redeploy the deployment for the draft. Proceed with caution. A deployment is not affected if you delete an existing key.

Add a key

Log on to the Realtime Compute for Apache Flink console. On the Fully Managed Flink tab, find the workspace that you want to manage and click Console in the Actions column.
In the left-side navigation pane, click Security. On the Security page, click the Secret Values tab.
On the Secret Values tab, click Add Secret Value. In the Add Secret Value dialog box, configure the Secret Name and Secret Value parameters.
Important
The value of the Secret Value parameter is case-sensitive.
Click OK.

Reference a key

After you add a key, you can reference the key that you configure in the DDL statement for an SQL draft or reference the key when you create a catalog on the UI. You can also reference the key in the Logging section on the Deployment Defaults tab of the Configurations page or the Logging section on the Configuration tab of the Deployments page.

Reference a key in the DDL statement for an SQL draft

In the left-side navigation pane, click SQL Editor.

In the Drafts pane of the SQL Editor page, double-click the desired draft. Then, write code in the SQL editor of the draft to reference the key.

To reference a key, write code in the ${secret_values.Name of the key} format. You need to only replace the name of the key in the code. Sample code:

CREATE TEMPORARY table datahub_source(
  name VARCHAR
) WITH (
  'connector' = 'datagen'
);

CREATE TEMPORARY table datahub_sink(
  name  VARCHAR  
) WITH (
  'connector'='datahub',
  'endpoint'='<yourEndpoint>',
  'project'='<yourProject>',
  'topic'='<yourTopic>',
  'accessId'='<yourAccessId>',
  'accessKey'='${secret_values.test_ak}'   -- The key named test_ak is referenced. Do not delete the secret_values prefix. 
);

INSERT INTO datahub_sink
SELECT 
  LOWER(name)
from datahub_source;

Reference a key in the Logging section

Go to the Logging section.
- For more information about how to configure parameters to export the logs of a deployment, see Configure parameters to export the logs of a deployment.
- For more information about how to configure parameters to export the logs of all deployments in a workspace, see Configure parameters to export the logs of all deployments in a workspace.

Reference a key in the Logging section.

The method of referencing a key in the Logging section is the same as the method of referencing a key in the DDL statement for an SQL draft. The following sample code shows how to reference a key when you configure parameters to export the logs of a deployment to Simple Log Service. For more information about the complete log output configuration, see Configure parameters to export logs of a deployment.

<Appender name="SLS" type="SLS">
  <Layout pattern="%d{yyyy-MM-dd HH:mm:ss,SSS}{GMT+8} %-5p %-60c %x - %m%n" type="PatternLayout" charset="UTF-8"/>  

  <!-- The final effective log path is: ${baseUri}/logs/${namespace}/${deploymentId}/{jobId}/ -->
  <Property name="namespace">{{ namespace }}</Property> <!-- Do not modify this line -->
  <Property name="project">YOUR-SLS-PROJECT</Property>  
  <Property name="logStore">YOUR-SLS-LOGSTORE</Property> 
  <Property name="endpoint">YOUR-SLS-ENDPOINT</Property> 
  <Property name="accessKeyId">${secret_values.accessKeyId}</Property> 
  <Property name="accessKeySecret">${secret_values.accessKeySecret}</Property> 
  <Property name="topic">{{ namespace }}:{{ deploymentId }}:{{ jobId }}</Property>
  <Property name="deploymentName">{{ deploymentName }}</Property>
  <Property name="flushIntervalSeconds">10</Property>
  <Property name="flushIntervalEventCount">100</Property>
</Appender>

Reference a key on the UI

When you create a catalog in the console of fully managed Flink, you can reference the key in the parameters in the Create Catalog dialog box.

In the left-side navigation pane of the console of fully managed Flink, click Catalogs.
In the Create Catalog dialog box, reference the key. The following example shows how to reference a key when you create a MySQL catalog.

References

For more information about how to develop an SQL draft, see Develop an SQL draft.
For more information about how to create and use a catalog, see Manage catalogs.
For more information about the connectors that are supported by fully managed Flink, see Supported connectors.