Class UamiCredentialProvider
java.lang.Object
io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.UamiCredentialProvider
- All Implemented Interfaces:
BearerAuthCredentialProvider,Closeable,AutoCloseable,org.apache.kafka.common.Configurable
UamiCredentialProvider is a BearerAuthCredentialProvider that authenticates
to Schema Registry using an Azure User Assigned Managed Identity (UAMI).
It retrieves a bearer token from the Azure Instance Metadata Service (IMDS) using
UamiJwtRetriever, caches the token via CachedOauthTokenRetriever, and
proactively refreshes it before expiry using OauthTokenCache.
Required configuration:
SchemaRegistryClientConfig.BEARER_AUTH_UAMI_ENDPOINT_QUERY- The pre-formatted query string appended to the IMDS endpoint URL (e.g.api-version=2025-04-07&resource=https%3A%2F%2Fconfluent.azure.com&client_id=...).
Optional configuration:
SchemaRegistryClientConfig.BEARER_AUTH_UAMI_ENDPOINT_URL- IMDS endpoint URL. Defaults toUamiJwtRetriever.DEFAULT_IMDS_ENDPOINT. Override for Azure Arc or non-standard environments.SchemaRegistryClientConfig.BEARER_AUTH_CACHE_EXPIRY_BUFFER_SECONDS- Seconds before token expiry to treat the cached token as stale. Defaults to 300.SchemaRegistryClientConfig.BEARER_AUTH_SCOPE_CLAIM_NAME- JWT claim used for scope. Defaults toscope; set toscpfor standard Azure tokens.SchemaRegistryClientConfig.BEARER_AUTH_SUB_CLAIM_NAME- JWT claim used for subject. Defaults tosub.SchemaRegistryClientConfig.BEARER_AUTH_LOGICAL_CLUSTER- Target Schema Registry logical cluster ID.SchemaRegistryClientConfig.BEARER_AUTH_IDENTITY_POOL_ID- Target identity pool ID.
To activate, set:
bearer.auth.credentials.source=UAMI bearer.auth.issuer.endpoint.query=api-version=2025-04-07&resource=...&client_id=...
-
Constructor Summary
Constructors -
Method Summary
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider
close
-
Constructor Details
-
UamiCredentialProvider
public UamiCredentialProvider()
-
-
Method Details
-
alias
- Specified by:
aliasin interfaceBearerAuthCredentialProvider
-
getBearerToken
- Specified by:
getBearerTokenin interfaceBearerAuthCredentialProvider
-
getTargetSchemaRegistry
- Specified by:
getTargetSchemaRegistryin interfaceBearerAuthCredentialProvider
-
getTargetIdentityPoolId
- Specified by:
getTargetIdentityPoolIdin interfaceBearerAuthCredentialProvider
-
configure
- Specified by:
configurein interfaceorg.apache.kafka.common.Configurable
-