> ## Documentation Index
> Fetch the complete documentation index at: https://docs.risingwave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CREATE SECRET

> Use the `CREATE SECRET` command to create secrets to store sensitive credentials securely.

<Tip>
  **PREMIUM FEATURE**

  This is a premium feature. For a comprehensive overview of all premium features and their usage, please see [RisingWave premium features](/get-started/premium-features).
</Tip>

## Syntax

```sql meta as backend theme={null}
CREATE SECRET secret_name WITH ( backend = 'meta' ) AS 'your_secret';
```

```sql hashicorp_vault as backend theme={null}
CREATE SECRET secret_name
WITH (
  backend = 'hashicorp_vault',
  addr = '<Vault server address>',
  path = '<Vault KV path>',
  field = '<field_to_extract>',
  auth_method = '<token|approle>',
  -- For token authentication:
  auth_token = '<vault_token>',
  -- For approle authentication:
  auth_role_id = '<role_id>',
  auth_secret_id = '<secret_id>',
  tls_skip_verify = 'true'
) AS NULL;
```

## Parameters

### General

| Parameter or Clause | Description                                                                                                                       |
| :------------------ | :-------------------------------------------------------------------------------------------------------------------------------- |
| secret\_name        | The name of the secret to be created. This should be a unique identifier within the system.                                       |
| backend             | Specifies the backend where the secret will be stored. Supported backend options are `hashicorp_vault` (since v2.6.0) and `meta`. |

### meta as backend

| Parameter or Clause | Description                                       |
| :------------------ | :------------------------------------------------ |
| your\_secret        | The secret value that you wish to store securely. |

### hashicorp\_vault as backend

| Parameter or Clause | Description                                                                                                                                                             |
| :------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| addr                | Address of the Vault server (e.g., `http://vault-server:8200`).                                                                                                         |
| path                | Path to the secret in Vault KV store (e.g., `secret/data/myapp/db`). Fetch the secret JSON from a URL such as `{addr}/v1/{path}` and get the `{field}` from JSON.       |
| field               | Optional. The field to extract from the secret (e.g., `password`).                                                                                                      |
| auth\_method        | Specify authentication methods. Supported methods are `token` (use Vault tokens for direct access) and `approle` (use role-based authentication for enhanced security). |
| auth\_token         | Vault token (for token auth)                                                                                                                                            |
| auth\_role\_id      | Role ID (for AppRole auth)                                                                                                                                              |
| auth\_secret\_id    | Secret ID (for AppRole auth)                                                                                                                                            |
| tls\_skip\_verify   | Optional. Disables TLS verification.                                                                                                                                    |
| AS NULL             | The AS clause has to be NULL.                                                                                                                                           |

## Examples

### `meta` as backend

We create a secret named `mysql_pwd`, and then use it in the `WITH` clause. After that, we use the `SHOW CREATE SOURCE` command to view the password. As shown in the result, the MySQL password is hidden, ensuring no secret leaks.

```sql theme={null}
CREATE SECRET mysql_pwd WITH ( backend = 'meta' ) AS '123';
```

```sql theme={null}
CREATE SOURCE mysql_source WITH (
 connector = 'mysql-cdc',
 hostname = 'localhost',
 port = '8306',
 username = 'rwcdc',
 password = secret mysql_pwd,
 database.name = 'test',
 server.id = '5601'
);
```

```sql theme={null}
SHOW CREATE SOURCE mysql_source;

---RESULT
--- public.mysql_mydb | CREATE SOURCE mysql_mydb WITH (connector = 'mysql-cdc', hostname = 'mysql', port = '3306', username = 'root', password = secret mysql_pwd, database.name = 'mydb', server.id = '2') FORMAT PLAIN ENCODE JSON
```

### `hashicorp_vault` as backend

Create the secret using token authentication:

```sql theme={null}
CREATE SECRET vault_token_secret
WITH (
  backend = 'hashicorp_vault',
  addr = 'http://vault-server:8200',
  path = 'secret/data/myapp/db',
  field = 'password',
  auth_method = 'token',
  auth_token = 'root-token',
  tls_skip_verify = 'true'
) AS NULL;
```

Create the secret using AppRole authentication:

```sql theme={null}
CREATE SECRET approle_kafka_user
WITH (
  backend = 'hashicorp_vault',
  addr = 'https://vault.example.com',
  path = 'secret/data/myapp/kafka',
  field = 'username',
  auth_method = 'approle',
  auth_role_id = '<your_role_id>',
  auth_secret_id = '<your_secret_id>'
) AS NULL;

```

## See also

<CardGroup>
  <Card title="Manage secrets" icon="key" icontype="solid" href="/operate/manage-secrets">
    A comprehensive guide for secret management operations
  </Card>

  <Card title="DROP SECRET" icon="trash" iconType="solid" href="/sql/commands/sql-drop-secret">
    Dropping a secret
  </Card>
</CardGroup>
