Spring Cloud Azure Kafka support
This article applies to: ✔️ Version 4.19.0 ✔️ Version 5.18.0
From version 4.3.0, Spring Cloud Azure for Kafka supports various types of credentials to authenticate and connect to Azure Event Hubs.
Supported Kafka version
The current version of the starter should be compatible with Apache Kafka Clients 2.0.0 using Java 8 or higher.
Supported authentication types
The following authentication types are supported:
- Plain connection string authentication
- Direct connection string authentication
- ARM-based connection string authentication
- OAuth credential authentication
- Managed identity authentication
- Username/password authentication
- Service principal authentication
DefaultAzureCredential
authentication
How it works
OAuth credential authentication
This section describes the overall workflow of Spring Cloud Azure OAuth authentication.
Spring Cloud Azure will first build one of the following types of credentials depending on the application authentication configuration:
ClientSecretCredential
ClientCertificateCredential
UsernamePasswordCredential
ManagedIdentityCredential
If none of these types of credentials are found, the credential chain via DefaultAzureTokenCredential
will be used to obtain credentials from application properties, environment variables, managed identity, or IDEs. For detailed information, see Spring Cloud Azure authentication.
Plain connection string authentication
For the connection string authentication mode, you can use connection string authentication directly or use the Azure Resource Manager to retrieve the connection string. For more information about the usage, see the Basic usage for connection string authentication section.
Note
Since version of 4.3.0, connection string authentication is deprecated in favor of OAuth authentications.
Configuration
Configurable properties when using Kafka support with OAuth authentication
Spring Cloud Azure for Kafka supports the following two levels of configuration options:
- Spring Cloud Azure for Event Hubs Kafka properties.
- The global authentication configuration options of
credential
andprofile
with prefixes ofspring.cloud.azure
. - Kafka-specific level configurations. The Kafka-level configurations are also available for Spring Boot and Spring Cloud Stream binders for
common
,consumer
,producer
, oradmin
scopes, which have different prefixes.
The global properties are exposed via com.azure.spring.cloud.autoconfigure.context.AzureGlobalProperties
. The Kafka-specific properties are exposed via org.springframework.boot.autoconfigure.kafka.KafkaProperties
(Spring Boot) and org.springframework.cloud.stream.binder.kafka.properties.KafkaBinderConfigurationProperties
(Spring Cloud Stream binder).
The following list shows all supported configuration options.
Spring Cloud Azure for Event Hubs Kafka properties.
- Property:
spring.cloud.azure.eventhubs.kafka.enabled
- Description: whether to enable credential free connection to Azure Event Hubs for Kafka, the default value is
true
.
- Property:
The Spring Cloud Azure global authentication configuration options
- Prefix:
spring.cloud.azure
- Supported options:
spring.cloud.azure.credential.*
,spring.cloud.azure.profile.*
For the full list of global configuration options, see Global configuration properties.
- Prefix:
Spring Boot Kafka common configuration
- Prefix:
spring.kafka.properties.azure
- Example:
spring.kafka.properties.azure
.credential.*
- Prefix:
Spring Kafka consumer configuration options
- Prefix:
spring.kafka.consumer.properties.azure
- Example:
spring.kafka.consumer.properties.azure
.credential.*
- Prefix:
Spring Kafka producer configuration options
- Prefix:
spring.kafka.producer.properties.azure
- Example:
spring.kafka.producer.properties.azure
.credential.*
- Prefix:
Spring Kafka admin configuration options
- Prefix:
spring.kafka.admin.properties.azure
- Example:
spring.kafka.admin.properties.azure
.credential.*
- Prefix:
Spring Cloud Stream Kafka Binder common configuration
- Prefix:
spring.cloud.stream.kafka.binder.configuration.azure
- Example:
spring.cloud.stream.kafka.binder.configuration.azure
.credential.*
- Prefix:
Spring Cloud Stream Kafka Binder consumer configuration
- Prefix:
spring.cloud.stream.kafka.binder.consumer-properties.azure
- Example:
spring.cloud.stream.kafka.binder.consumer-properties.azure
.credential.*
- Prefix:
Spring Cloud Stream Kafka Binder producer configuration
- Prefix:
spring.cloud.stream.kafka.binder.producer-properties.azure
- Example:
spring.cloud.stream.kafka.binder.producer-properties.azure
.credential.*
- Prefix:
Spring Cloud Stream Kafka Binder admin configuration
- Prefix: Not supported, should use Spring Boot Kafka common or admin configuration.
The following table shows the Spring Boot Kafka common configuration options:
Name | Description |
---|---|
spring.kafka.properties.azure.credential.client-certificate-password | Password of the certificate file. |
spring.kafka.properties.azure.credential.client-certificate-path | Path of a PEM certificate file to use when performing service principal authentication with Azure. |
spring.kafka.properties.azure.credential.client-id | Client ID to use when performing service principal authentication with Azure. This is a legacy property. |
spring.kafka.properties.azure.credential.client-secret | Client secret to use when performing service principal authentication with Azure. This is a legacy property. |
spring.kafka.properties.azure.credential.managed-identity-enabled | Whether to enable managed identity to authenticate with Azure. If true and the client-id is set, will use the client ID as user assigned managed identity client ID. The default value is false. |
spring.kafka.properties.azure.credential.password | Password to use when performing username/password authentication with Azure. |
spring.kafka.properties.azure.credential.username | Username to use when performing username/password authentication with Azure. |
spring.kafka.properties.azure.profile.environment.active-directory-endpoint | The Microsoft Entra endpoint to connect to. |
spring.kafka.properties.azure.profile.tenant-id | Tenant ID for Azure resources. The values allowed for tenant-id are: common , organizations , consumers , or the tenant ID. |
Note
The configuration options in different levels apply the following rules. The more specific configuration options have higher priority than the common ones. For example:
- Spring Kafka common configuration options supersede the global options.
- Spring Kafka consumer configuration options supersede the common options.
- Spring Kafka producer configuration options supersede the common options.
- Spring Kafka admin configuration options supersede the common options.
- The Spring Cloud Stream Kafka Binder options are just like the above.
Configurable properties when using Kafka support with plain connection string authentication
The following table shows the Spring Boot Event Hubs for Kafka common configuration options:
Property | Description |
---|---|
spring.cloud.azure.eventhubs.kafka.enabled | Whether to enable the Azure Event Hubs Kafka support. The default value is true. |
spring.cloud.azure.eventhubs.connection-string | Azure Event Hubs connection string. Provide this value when you want to provide the connection string directly. |
spring.cloud.azure.eventhubs.namespace | Azure Event Hubs namespace. Provide this value when you want to retrieve the connection information through Azure Resource Manager. |
spring.cloud.azure.eventhubs.resource.resource-group | The resource group of Azure Event Hubs namespace. Provide this value when you want to retrieve the connection information through Azure Resource Manager. |
spring.cloud.azure.profile.subscription-id | The subscription ID. Provide this value when you want to retrieve the connection information through Azure Resource Manager. |
Dependency setup
Add the following dependency to your project. This will automatically include the spring-boot-starter
dependency in your project transitively.
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter</artifactId>
</dependency>
Note
Remember to add the BOM spring-cloud-azure-dependencies
along with the above dependency. For details, see the Getting started section of the Spring Cloud Azure developer guide.
Basic usage
The following sections show the classic Spring Boot application usage scenarios.
Use OAuth authentication
When you use the OAuth authentication provided by Spring Cloud Azure for Kafka, you can configure the specific credentials using the above configurations. Alternatively, you can choose to configure nothing about credentials, in which case Spring Cloud Azure will load the credentials from the environment. This section describes the usages that load the credentials from the Azure CLI environment or the Azure Spring Apps hosting environment.
Note
If you choose to use a security principal to authenticate and authorize with Microsoft Entra ID for accessing an Azure resource, see the Authorize access with Microsoft Entra ID section to make sure the security principal has been granted the sufficient permission to access the Azure resource.
The following section describes the scenarios using different Spring ecosystem libraries with OAuth authentication.
Spring Kafka application support
This section describes the usage scenario for Spring Boot application using Spring Kafka or Spring Integration Kafka library.
Dependency setup
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter</artifactId>
</dependency>
<!-- Using Spring Kafka library only-->
<dependency>
<groupId>org.springframework.kafka</groupId>
<artifactId>spring-kafka</artifactId>
<version>{version}</version><!--Need to be set, for example:2.8.6-->
</dependency>
<!-- Using Spring Integration library only -->
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-kafka</artifactId>
<version>{version}</version><!--Need to be set, for example:5.5.12-->
</dependency>
Configuration update
To use the OAuth authentication, just specify the Event Hubs endpoint, as shown in the following example:
spring.kafka.bootstrap-servers=<NAMESPACENAME>.servicebus.windows.net:9093
Spring Cloud Stream binder Kafka application support
This section describes the usage scenario for Spring Boot applications using the Spring Cloud Stream binder Kafka library.
Dependency setup
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-stream-kafka</artifactId>
<version>{version}</version><!--Need to be set, for example:3.2.3-->
</dependency>
Configuration
To use the OAuth authentication, just specify the Event Hubs endpoint as shown in the following example:
spring.cloud.stream.kafka.binder.brokers=<NAMESPACENAME>.servicebus.windows.net:9093
Note
If you're using version 4.3.0
, don't forget to set the spring.cloud.stream.binders.<kafka-binder-name>.environment.spring.main.sources=com.azure.spring.cloud.autoconfigure.kafka.AzureKafkaSpringCloudStreamConfiguration
property to enable the whole OAuth authentication workflow, where kafka-binder-name
is kafka
by default in a single Kafka binder application. The configuration AzureKafkaSpringCloudStreamConfiguration
specifies the OAuth security parameters for KafkaBinderConfigurationProperties
, which is used in KafkaOAuth2AuthenticateCallbackHandler
to enable Azure Identity.
For version after 4.4.0
, this property will be added automatically for each Kafka binder environment, so there's no need for you to add it manually.
Use managed identity for OAuth authentication
To use the managed identity, you need enable the managed identity for your service and assign the
Azure Event Hubs Data Receiver
andAzure Event Hubs Data Sender
roles. For more information, see Assign Azure roles for access rights.Configure the following properties in your application.yml file:
spring: cloud: azure: credential: managed-identity-enabled: true
Important
If you're using user-assigned managed identity, you also need to add the property
spring.cloud.azure.credential.client-id
with your user-assigned managed identity client ID.
Samples
See the azure-spring-boot-samples repository on GitHub.
Use connection string authentication
You can use connection string authentication directly or use the Azure Resource Manager to retrieve the connection string.
Note
Since version of 4.3.0, connection string authentication is deprecated in favor of OAuth authentications.
Since version of 4.5.0, when using connection string authentication with Spring Cloud Stream framework, the following property is required to ensure that the connection string can take effect, where the value of <kafka-binder-name>
should be kafka
when there is no customized configuration for your Kafka binder name.
spring.cloud.stream.binders.<kafka-binder-name>.environment.spring.main.sources=com.azure.spring.cloud.autoconfigure.eventhubs.kafka.AzureEventHubsKafkaAutoConfiguration
Dependency setup
Add the following dependencies if you want to migrate your Apache Kafka application to use Azure Event Hubs for Kafka.
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter</artifactId>
</dependency>
If you want to retrieve the connection string using Azure Resource Manager, add the following dependency:
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-resourcemanager</artifactId>
</dependency>
Configuration
Use Event Hubs connection string directly
The simplest way to connect to Event Hubs for Kafka is with the connection string. Just add the following property.
spring.cloud.azure.eventhubs.connection-string=${AZURE_EVENTHUBS_CONNECTION_STRING}
Use Azure Resource Manager to retrieve connection string
If you don't want to configure the connection string in your application, you can use Azure Resource Manager to retrieve the connection string. To authenticate with Azure Resource Manager, you can also use credentials stored in Azure CLI or another local development tool such as Visual Studio Code or Intellij IDEA. Alternately, you can use Managed Identity if your application is deployed to Azure Cloud. Just be sure the principal has sufficient permission to read resource metadata.
Note
If you choose to use a security principal to authenticate and authorize with Microsoft Entra ID for accessing an Azure resource, see the Authorize access with Microsoft Entra ID section to be sure the security principal has been granted the sufficient permission to access the Azure resource.
To use Azure Resource Manager to retrieve the connection string, just add the following property.
spring:
cloud:
azure:
profile:
subscription-id: ${AZURE_SUBSCRIPTION_ID}
eventhubs:
namespace: ${AZURE_EVENTHUBS_NAMESPACE}
resource:
resource-group: ${AZURE_EVENTHUBS_RESOURCE_GROUP}
Samples
See the azure-spring-boot-samples repository on GitHub.