Couchbase and keystore passwords in plain text

I am using Kafka Connect Couchbase 4.1.11, when i get connector config using rest call to connector (/connectors/cbkc-name/config) then i am getting passwords in plain test of couchbase.password and

Same these 2 properties stored in plain test in config topic also. means passwords stowing in plain test in kafka topic as well in rest call endpoint.

Is there any way to hide this password, we had try by creating env variable like KAFKA_COUCHBASE_TRUST_STORE_PASSWORD and KAFKA_COUCHBASE_PASSWORD to override it but again connector assigning it to these properties.

Rest call response:

“connector.class”: “com.couchbase.connect.kafka.CouchbaseSourceConnector”,
“couchbase.persistence.polling.interval”: “0”,
“tasks.max”: “2”,
“”: “/run/secrets/keystores/truststore/pki-common-truststore.jks”,
“”: “Couchbase_Kafka_Connector_Black_Hole”,
“couchbase.seed.nodes”: “cluster-srv”,
“couchbase.source.handler”: “com.ResourceHandler”,
“couchbase.enable.tls”: “true”,
“couchbase.bucket”: “data.consistency”,
“”: “NOW”,
“couchbase.username”: “data-consistency”,
“”: “data-consistency”,
“name”: “consistency_Data_Consistency_Subscribe”,
“couchbase.password”: “=CB-Password”,
“”: “KS-Password”,
“couchbase.topic”: “Data_Consistency_Subscribe”

Hi @shyampa,

Does this article help?


By the way, recent versions of the connector no longer require the CA certificate live in a Java keystore (*.jks). If you prefer, you can put one or more certificates in PEM format in a text file, and point the connector at the file using the config property.

Alternatively, you can add certificates to the JVM’s cacerts file, and the connector will read them from there (unless you specify other certificates to trust).


Thanks to sharing this, Its not working. Currently we are reading creds from secrets only like

it is assigning to property and when api config api gets call, this property is showing plain text password.

it is assigning to property and when api config api gets call, this property is showing plain text password.

Interesting. This is out of the Couchbase connector’s control. I would make sure Kafka is upgraded to the latest version. If that doesn’t help, I would get in touch with the Kafka folks. If you have a support contract with a Kafka provider, it might be good to open a support ticket with them. Otherwise, might have some ideas.


Thanks David. I will check with confluent Kafka team if required then will raise ticket for this.

Hello @david.nault ,

ConfigProvider is working which will hide password from being print password in clear text.
Because of other env issue my changes didn’t worked for that reason i had said ConfigProvider is not working.

now in connector api response getting this :
“couchbase.password”: “${file:/secret-path/secret-name.yaml:password-key}”

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.