Vault currently only supports client authentication using mutual TLS and SASL-SCRAM.

For each Vault service that communicates with Kafka, this requires either:

mTLS: Client certificates to be signed by a CA with a chain of trust to a CA whose certificate is stored in Kafka's truststore. Clients may provide Intermediate CA certificates in their certificate list to establish this chain of trust. To learn more, see Configuring mutual TLS.

SASL-SCRAM: Client credentials, consisting of a username and password. To learn more, see Configuring SASL-SCRAM.

SASL-OAUTHBEARER: Client credentials, consisting of client ID and secret. To learn more, see Configuring SASL-OAUTHBEARER.

You must ensure that these client certificates or credentials are placed in HashiCorp Vault, in order for Vault services to use them. The Vault Installer supports the automatic generation of client certificates and credentials from a CA certificate and private key placed in HashiCorp Vault.

From Vault 4.0 onwards, the Vault Installer supports the automatic creation of Kafka ACLs (Access Control Lists), and deletion of ACLs that are no longer required. This is optional, which means you will need to enable this automatic option to use it.

From Vault 4.4 onwards, the release.json release artifact can be used to aid with manually generating client certificates, SCRAM or OAUTHBEARER credentials. It includes the content of the kafka_principals_info.json artifact (Vault 3.0 onwards), detailing which HashiCorp Vault KV engine secret paths to store them at, along with what keys are expected in the secret at that path. This release artifact is documented in the Vault installation guide.