CREATE CONNECTION
A connection describes how to connect and authenticate to an external system youwant Materialize to read from or write to. Once created, a connectionisreusable across multipleCREATE SOURCE andCREATE SINK statements.
To use credentials that contain sensitive information (like passwords and SSLkeys) in a connection, you must firstcreate secrets tosecurely store each credential in Materialize’s secret management system.Credentials that are generally not sensitive (like usernames and SSLcertificates) can be specified as plaintext, or also stored as secrets.
Source and sink connections
AWS
An Amazon Web Services (AWS) connection provides Materialize with access to anIdentity and Access Management (IAM) user or role in your AWS account. You canuse AWS connections to performbulk exports to Amazon S3,performauthentication with an Amazon MSK cluster, orperformauthentication with an Amazon RDS MySQL database.
Connection options
Field | Value | Description |
|---|---|---|
ENDPOINT | text | Advanced. Override the default AWS endpoint URL. Allows targeting S3-compatible services like MinIO. |
REGION | text | The AWS region to connect to. |
ACCESS KEY ID | secret ortext | The access key ID to connect with. Triggers credentials-based authentication. Warning! Use of credentials-based authentication is deprecated. AWS strongly encourages the use of role assumption-based authentication instead. |
SECRET ACCESS KEY | secret | The secret access key corresponding to the specified access key ID. Required and only valid when ACCESS KEY ID is specified. |
SESSION TOKEN | secret ortext | The session token corresponding to the specified access key ID. Only valid when ACCESS KEY ID is specified. |
ASSUME ROLE ARN | text | The Amazon Resource Name (ARN) of the IAM role to assume. Triggers role assumption-based authentication. |
ASSUME ROLE SESSION NAME | text | The session name to use when assuming the role. Only valid when ASSUME ROLE ARN is specified. |
WITH options
| Field | Value | Description |
|---|---|---|
VALIDATE | boolean | Whetherconnection validation should be performed on connection creation. Defaults to false. |
Permissions
When using role assumption-based authentication, you must configure atrustpolicy on the IAM role that permits Materialize to assume the role.
Materialize always uses the following IAM principal to assume the role:
arn:aws:iam::664411391173:role/MaterializeConnectionMaterialize additionally generates anexternal ID which uniquely identifiesyour AWS connection across all Materialize regions. To ensure that otherMaterialize customers cannot assume your role, your IAM trust policymustconstrain access to only the external ID that Materialize generates for theconnection:
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::664411391173:role/MaterializeConnection"},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"sts:ExternalId":"<EXTERNAL ID FOR CONNECTION>"}}}]}You can retrieve the external ID for the connection, as well as an example trustpolicy, by querying themz_internal.mz_aws_connectionstable:
SELECTid,external_id,example_trust_policyFROMmz_internal.mz_aws_connections;Examples
In this example, we have created the following IAM role for Materialize toassume:
| Name | AWS account ID | Trust policy |
|---|---|---|
WarehouseExport | 000000000000 | |
To create an AWS connection that will assume theWarehouseExport role:
CREATECONNECTIONaws_role_assumptionTOAWS(ASSUMEROLEARN='arn:aws:iam::000000000000:role/WarehouseExport');To create an AWS connection that uses static access key credentials:
CREATESECRETaws_secret_access_keyAS'...';CREATECONNECTIONaws_credentialsTOAWS(ACCESSKEYID='ASIAV2KIV5LPTG6HGXG6',SECRETACCESSKEY=SECRETaws_secret_access_key);Kafka
A Kafka connection establishes a link to aKafka cluster. You can use Kafkaconnections to createsources andsinks.
Syntax
Connection options
Field | Value | Description |
|---|---|---|
BROKER | text | The Kafka bootstrap server. Exactly one of BROKER,BROKERS, orAWS PRIVATELINK must be specified. |
BROKERS | text[] | A comma-separated list of Kafka bootstrap servers. Exactly one of BROKER,BROKERS, orAWS PRIVATELINK must be specified. |
SECURITY PROTOCOL | text | The security protocol to use:PLAINTEXT,SSL,SASL_PLAINTEXT, orSASL_SSL.Defaults to SASL_SSL if anySASL ... options are specified or if theAWS CONNECTION option is specified, otherwise defaults toSSL. |
SASL MECHANISMS | text | The SASL mechanism to use for authentication:PLAIN,SCRAM-SHA-256, orSCRAM-SHA-512. Despite the name, this option only allows a single mechanism to be specified.Required if the security protocol is SASL_PLAINTEXT orSASL_SSL.Cannot be specified if AWS CONNECTION is specified. |
SASL USERNAME | secret ortext | Your SASL username. Required and only valid when the security protocol is SASL_PLAINTEXT orSASL_SSL. |
SASL PASSWORD | secret | Your SASL password. Required and only valid when the security protocol is SASL_PLAINTEXT orSASL_SSL. |
SSL CERTIFICATE AUTHORITY | secret ortext | The certificate authority (CA) certificate in PEM format. Used to validate the brokers’ TLS certificates. If unspecified, uses the system’s default CA certificates. Only valid when the security protocol is SSL orSASL_SSL. |
SSL CERTIFICATE | secret ortext | Your TLS certificate in PEM format for SSL client authentication. If unspecified, no client authentication is performed. Only valid when the security protocol is SSL orSASL_SSL. |
SSL KEY | secret | Your TLS certificate’s key in PEM format. Required and only valid when SSL CERTIFICATE is specified. |
SSH TUNNEL | object name | The name of anSSH tunnel connection to route network traffic through by default. |
AWS CONNECTION | object name | The name of anAWS connection to use when performing IAM authentication with an Amazon MSK cluster. Only valid if the security protocol is SASL_PLAINTEXT orSASL_SSL. |
AWS PRIVATELINK | object name | The name of anAWS PrivateLink connection to route network traffic through. Exactly one of BROKER,BROKERS, orAWS PRIVATELINK must be specified. |
PROGRESS TOPIC | text | The name of a topic that Kafka sinks can use to track internal consistency metadata. Default:_materialize-progress-{REGION ID}-{CONNECTION ID}. |
PROGRESS TOPIC REPLICATION FACTOR | int | The partition count to use when creating the progress topic (if the Kafka topic does not already exist). Default: Broker’s default. |
WITH options
| Field | Value | Description |
|---|---|---|
VALIDATE | boolean | Whetherconnection validation should be performed on connection creation. Defaults to true. |
To connect to a Kafka cluster with multiple bootstrap servers, use theBROKERSoption:
CREATECONNECTIONkafka_connectionTOKAFKA(BROKERS('broker1:9092','broker2:9092'));Security protocol examples
PLAINTEXT security protocol unlessyou are using anetwork security connectionto tunnel into a private network, as shown below.CREATECONNECTIONkafka_connectionTOKAFKA(BROKER'unique-jellyfish-0000.prd.cloud.redpanda.com:9092',SECURITYPROTOCOL='PLAINTEXT',SSHTUNNELssh_connection);With both TLS encryption and TLS client authentication:
CREATESECRETkafka_ssl_certAS'-----BEGIN CERTIFICATE----- ...';CREATESECRETkafka_ssl_keyAS'-----BEGIN PRIVATE KEY----- ...';CREATESECRETca_certAS'-----BEGIN CERTIFICATE----- ...';CREATECONNECTIONkafka_connectionTOKAFKA(BROKER'rp-f00000bar.cloud.redpanda.com:30365',SECURITYPROTOCOL='SSL'SSLCERTIFICATE=SECRETkafka_ssl_cert,SSLKEY=SECRETkafka_ssl_key,-- Specifying a certificate authority is only required if your cluster's-- certificates are not issued by a CA trusted by the Mozilla root store.SSLCERTIFICATEAUTHORITY=SECRETca_cert);With only TLS encryption:
CREATESECRETca_certAS'-----BEGIN CERTIFICATE----- ...';CREATECONNECTIONkafka_connectionTOKAFKA(BROKER='rp-f00000bar.cloud.redpanda.com:30365',SECURITYPROTOCOL='SSL',SSHTUNNELssh_connection,-- Specifying a certificate authority is only required if your cluster's-- certificates are not issued by a CA trusted by the Mozilla root store.SSLCERTIFICATEAUTHORITY=SECRETca_cert);SASL_PLAINTEXT security protocol unlessyou are using anetwork security connectionto tunnel into a private network, as shown below.CREATESECRETkafka_passwordAS'...';CREATECONNECTIONkafka_connectionTOKAFKA(BROKER'unique-jellyfish-0000.us-east-1.aws.confluent.cloud:9092',SECURITYPROTOCOL='SASL_PLAINTEXT',SASLMECHANISMS='SCRAM-SHA-256',-- or `PLAIN` or `SCRAM-SHA-512`SASLUSERNAME='foo',SASLPASSWORD=SECRETkafka_password,SSHTUNNELssh_connection);CREATESECRETkafka_passwordAS'...';CREATESECRETca_certAS'-----BEGIN CERTIFICATE----- ...';CREATECONNECTIONkafka_connectionTOKAFKA(BROKER'unique-jellyfish-0000.us-east-1.aws.confluent.cloud:9092',SECURITYPROTOCOL='SASL_SSL',SASLMECHANISMS='SCRAM-SHA-256',-- or `PLAIN` or `SCRAM-SHA-512`SASLUSERNAME='foo',SASLPASSWORD=SECRETkafka_password,-- Specifying a certificate authority is only required if your cluster's-- certificates are not issued by a CA trusted by the Mozilla root store.SSLCERTIFICATEAUTHORITY=SECRETca_cert);CREATECONNECTIONaws_mskTOAWS(ASSUMEROLEARN='arn:aws:iam::000000000000:role/MaterializeMSK');CREATECONNECTIONkafka_mskTOKAFKA(BROKER'msk.mycorp.com:9092',SECURITYPROTOCOL='SASL_SSL',AWSCONNECTION=aws_msk);Network security
If your Kafka broker is not exposed to the public internet, you can tunnel theconnection through an AWS PrivateLink service or an SSH bastion host.
Depending on the hosted service you are connecting to, you might need to specifya PrivateLink connectionper advertised broker(e.g. Amazon MSK), or a singledefault PrivateLink connection (e.g. Redpanda Cloud).
Broker connection syntax
BROKERS clause, Materialize will attempt to connect tothose brokers without any tunneling.kafka_broker
broker_option
TheUSING clause specifies that Materialize should connect to the designatedbroker via an AWS PrivateLink service. Brokers do not need to be configured thesame way, but the clause must be individually attached to each broker that youwant to connect to via the tunnel.
Broker connection options
| Field | Value | Required | Description |
|---|---|---|---|
AWS PRIVATELINK | object name | ✓ | The name of anAWS PrivateLink connection through which network traffic for this broker should be routed. |
AVAILABILITY ZONE | text | The ID of the availability zone of the AWS PrivateLink service in which the broker is accessible. If unspecified, traffic will be routed to each availability zone declared in theAWS PrivateLink connection in sequence until the correct availability zone for the broker is discovered. If specified, Materialize will always route connections via the specified availability zone. | |
PORT | integer | The port of the AWS PrivateLink service to connect to. Defaults to the broker’s port. |
Example
Suppose you have the following infrastructure:
A Kafka cluster consisting of two brokers named
broker1andbroker2,both listening on port 9092.A Network Load Balancer that forwards port 9092 to
broker1:9092and port9093 tobroker2:9092.A PrivateLink endpoint service attached to the load balancer.
You can create a connection to this Kafka broker in Materialize like so:
CREATECONNECTIONprivatelink_svcTOAWSPRIVATELINK(SERVICENAME'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc',AVAILABILITYZONES('use1-az1','use1-az4'));CREATECONNECTIONkafka_connectionTOKAFKA(BROKERS('broker1:9092'USINGAWSPRIVATELINKprivatelink_svc,'broker2:9092'USINGAWSPRIVATELINKprivatelink_svc(PORT9093)));Default connections
Redpanda Cloud) does not requirelisting every broker individually. In this case, you should specify aPrivateLink connection and the port of the bootstrap server instead.
Default connection syntax
Default connection options
| Field | Value | Required | Description |
|---|---|---|---|
AWS PRIVATELINK | object name | ✓ | The name of anAWS PrivateLink connection through which network traffic for this broker should be routed. |
PORT | integer | The port of the AWS PrivateLink service to connect to. Defaults to the broker’s port. |
Example
CREATECONNECTIONprivatelink_svcTOAWSPRIVATELINK(SERVICENAME'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc',AVAILABILITYZONES('use1-az1'));CREATECONNECTIONkafka_connectionTOKAFKA(AWSPRIVATELINK(PORT30292)SECURITYPROTOCOL='SASL_PLAINTEXT',SASLMECHANISMS='SCRAM-SHA-256',SASLUSERNAME='foo',SASLPASSWORD=SECRETred_panda_password);For step-by-step instructions on creating AWS PrivateLink connections andconfiguring an AWS PrivateLink service to accept connections from Materialize,checkthis guide.
Syntax
SSH TUNNEL and your Kafkacluster advertises brokers that are not listed in theBROKERS clause,Materialize will attempt to connect to those brokers without any tunneling.kafka_broker
TheUSING clause specifies that Materialize should connect to the designatedbroker via an SSH bastion server. Brokers do not need to be configured the sameway, but the clause must be individually attached to each broker that you wantto connect to via the tunnel.
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
SSH TUNNEL | object name | ✓ | The name of anSSH tunnel connection through which network traffic for this broker should be routed. |
Example
Using a default SSH tunnel:
CREATECONNECTIONssh_connectionTOSSHTUNNEL(HOST'<SSH_BASTION_HOST>',USER'<SSH_BASTION_USER>',PORT<SSH_BASTION_PORT>);CREATECONNECTIONkafka_connectionTOKAFKA(BROKER'broker1:9092',SSHTUNNELssh_connection);Using different SSH tunnels for each broker, with a default for brokers that arenot listed:
CREATECONNECTIONssh1TOSSHTUNNEL(HOST'ssh1',...);CREATECONNECTIONssh2TOSSHTUNNEL(HOST'ssh2',...);CREATECONNECTIONkafka_connectionTOKAFKA(BROKERS('broker1:9092'USINGSSHTUNNELssh1,'broker2:9092'USINGSSHTUNNELssh2)SSHTUNNELssh_1);For step-by-step instructions on creating SSH tunnel connections and configuringan SSH bastion server to accept connections from Materialize, checkthis guide.
Confluent Schema Registry
A Confluent Schema Registry connection establishes a link to aConfluent SchemaRegistry server. You can use Confluent Schema Registry connections in theFORMAT clause ofCREATE SOURCE andCREATE SINK statements.
Syntax
Connection options
Field | Value | Description |
|---|---|---|
URL | text | The schema registry URL. Required. |
USERNAME | secret ortext | The username to use for basic HTTP authentication. |
PASSWORD | secret | The password to use for basic HTTP authentication. Required and only valid if USERNAME is specified. |
SSL CERTIFICATE | secret ortext | Your TLS certificate in PEM format for TLS client authentication. If unspecified, no TLS client authentication is performed. Only respected if the URL uses the https protocol. |
SSL KEY | secret | Your TLS certificate’s key in PEM format. Required and only valid if SSL CERTIFICATE is specified. |
SSL CERTIFICATE AUTHORITY | secret ortext | The certificate authority (CA) certificate in PEM format. Used to validate the server’s TLS certificate. If unspecified, uses the system’s default CA certificates. Only respected if the URL uses the https protocol. |
WITH options
| Field | Value | Description |
|---|---|---|
VALIDATE | boolean | Default:true. Whetherconnection validation should be performed on connection creation. |
Examples
Using username and password authentication with TLS encryption:
CREATESECRETcsr_passwordAS'...';CREATESECRETca_certAS'-----BEGIN CERTIFICATE----- ...';CREATECONNECTIONcsr_basicTOCONFLUENTSCHEMAREGISTRY(URL'https://rp-f00000bar.cloud.redpanda.com:30993',USERNAME='foo',PASSWORD=SECRETcsr_password-- Specifying a certificate authority is only required if your cluster's-- certificates are not issued by a CA trusted by the Mozilla root store.SSLCERTIFICATEAUTHORITY=SECRETca_cert);Using TLS for encryption and authentication:
CREATESECRETcsr_ssl_certAS'-----BEGIN CERTIFICATE----- ...';CREATESECRETcsr_ssl_keyAS'-----BEGIN PRIVATE KEY----- ...';CREATESECRETca_certAS'-----BEGIN CERTIFICATE----- ...';CREATECONNECTIONcsr_sslTOCONFLUENTSCHEMAREGISTRY(URL'https://rp-f00000bar.cloud.redpanda.com:30993',SSLCERTIFICATE=SECRETcsr_ssl_cert,SSLKEY=SECRETcsr_ssl_key,-- Specifying a certificate authority is only required if your cluster's-- certificates are not issued by a CA trusted by the Mozilla root store.SSLCERTIFICATEAUTHORITY=SECRETca_cert);Network security
If your Confluent Schema Registry server is not exposed to the public internet,you can tunnel the connection through an AWS PrivateLink service or an SSHbastion host.
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
AWS PRIVATELINK | object name | ✓ | The name of anAWS PrivateLink connection through which network traffic should be routed. |
Example
CREATECONNECTIONprivatelink_svcTOAWSPRIVATELINK(SERVICENAME'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc',AVAILABILITYZONES('use1-az1','use1-az4'));CREATECONNECTIONcsr_privatelinkTOCONFLUENTSCHEMAREGISTRY(URL'http://my-confluent-schema-registry:8081',AWSPRIVATELINKprivatelink_svc);Connection options
| Field | Value | Required | Description |
|---|---|---|---|
SSH TUNNEL | object name | ✓ | The name of anSSH tunnel connection through which network traffic should be routed. |
Example
CREATECONNECTIONssh_connectionTOSSHTUNNEL(HOST'<SSH_BASTION_HOST>',USER'<SSH_BASTION_USER>',PORT<SSH_BASTION_PORT>);CREATECONNECTIONcsr_sshTOCONFLUENTSCHEMAREGISTRY(URL'http://my-confluent-schema-registry:8081',SSHTUNNELssh_connection);MySQL
A MySQL connection establishes a link to aMySQL server. You can useMySQL connections to createsources.
Syntax
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
HOST | text | ✓ | Database hostname. |
PORT | integer | Default:3306. Port number to connect to at the server host. | |
USER | text | ✓ | Database username. |
PASSWORD | secret | Password for the connection. | |
SSL CERTIFICATE AUTHORITY | secret ortext | The certificate authority (CA) certificate in PEM format. Used for both SSL client and server authentication. If unspecified, uses the system’s default CA certificates. | |
AWS CONNECTION | object name | The name of anAWS connection to use when performing IAM authentication with an Amazon RDS MySQL cluster. Only valid if SSL MODE is set torequired,verify_ca, orverify_identity.Incompatible with PASSWORD being set. | |
SSL MODE | text | Default:disabled. Enables SSL connections if set torequired,verify_ca, orverify_identity. See theMySQL documentation for more details. | |
SSL CERTIFICATE | secret ortext | Client SSL certificate in PEM format. | |
SSL KEY | secret | Client SSL key in PEM format. |
WITH options
| Field | Value | Description |
|---|---|---|
VALIDATE | boolean | Default:true. Whetherconnection validation should be performed on connection creation. |
Example
CREATESECRETmysqlpassAS'<POSTGRES_PASSWORD>';CREATECONNECTIONmysql_connectionTOMYSQL(HOST'instance.foo000.us-west-1.rds.amazonaws.com',PORT3306,USER'root',PASSWORDSECRETmysqlpass);Network security
If your MySQL server is not exposed to the public internet, you can tunnelthe connection through an AWS PrivateLink service or an SSH bastion host.
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
AWS PRIVATELINK | object name | ✓ | The name of anAWS PrivateLink connection through which network traffic should be routed. |
Example
CREATECONNECTIONprivatelink_svcTOAWSPRIVATELINK(SERVICENAME'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc',AVAILABILITYZONES('use1-az1','use1-az4'));CREATECONNECTIONmysql_connectionTOMYSQL(HOST'instance.foo000.us-west-1.rds.amazonaws.com',PORT3306,USER'root',PASSWORDSECRETmysqlpass,AWSPRIVATELINKprivatelink_svc);For step-by-step instructions on creating AWS PrivateLink connections andconfiguring an AWS PrivateLink service to accept connections from Materialize,checkthis guide.
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
SSH TUNNEL | object name | ✓ | The name of anSSH tunnel connection through which network traffic should be routed. |
Example
CREATECONNECTIONtunnelTOSSHTUNNEL(HOST'bastion-host',PORT22,USER'materialize');CREATECONNECTIONmysql_connectionTOMYSQL(HOST'instance.foo000.us-west-1.rds.amazonaws.com',SSHTUNNELssh_connection);For step-by-step instructions on creating SSH tunnel connections and configuringan SSH bastion server to accept connections from Materialize, checkthis guide.
Example
CREATECONNECTIONaws_rds_mysqlTOAWS(ASSUMEROLEARN='arn:aws:iam::000000000000:role/MaterializeRDS');CREATECONNECTIONmysql_connectionTOMYSQL(HOST'instance.foo000.us-west-1.rds.amazonaws.com',PORT3306,USER'root',AWSCONNECTIONaws_rds_mysql,SSLMODE'verify_identity');PostgreSQL
A Postgres connection establishes a link to a single database of aPostgreSQL server. You can use Postgres connections to createsources.
Syntax
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
HOST | text | ✓ | Database hostname. |
PORT | integer | Default:5432. Port number to connect to at the server host. | |
DATABASE | text | ✓ | Target database. |
USER | text | ✓ | Database username. |
PASSWORD | secret | Password for the connection. | |
SSL CERTIFICATE AUTHORITY | secret ortext | The certificate authority (CA) certificate in PEM format. Used for both SSL client and server authentication. If unspecified, uses the system’s default CA certificates. | |
SSL MODE | text | Default:disable. Enables SSL connections if set torequire,verify_ca, orverify_full. | |
SSL CERTIFICATE | secret ortext | Client SSL certificate in PEM format. | |
SSL KEY | secret | Client SSL key in PEM format. |
WITH options
| Field | Value | Description |
|---|---|---|
VALIDATE | boolean | Default:true. Whetherconnection validation should be performed on connection creation. |
Example
CREATESECRETpgpassAS'<POSTGRES_PASSWORD>';CREATECONNECTIONpg_connectionTOPOSTGRES(HOST'instance.foo000.us-west-1.rds.amazonaws.com',PORT5432,USER'postgres',PASSWORDSECRETpgpass,SSLMODE'require',DATABASE'postgres');Network security
If your PostgreSQL server is not exposed to the public internet, you can tunnelthe connection through an AWS PrivateLink service or an SSH bastion host.
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
AWS PRIVATELINK | object name | ✓ | The name of anAWS PrivateLink connection through which network traffic should be routed. |
Example
CREATECONNECTIONprivatelink_svcTOAWSPRIVATELINK(SERVICENAME'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc',AVAILABILITYZONES('use1-az1','use1-az4'));CREATECONNECTIONpg_connectionTOPOSTGRES(HOST'instance.foo000.us-west-1.rds.amazonaws.com',PORT5432,DATABASEpostgres,USERpostgres,PASSWORDSECRETpgpass,AWSPRIVATELINKprivatelink_svc);For step-by-step instructions on creating AWS PrivateLink connections andconfiguring an AWS PrivateLink service to accept connections from Materialize,checkthis guide.
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
SSH TUNNEL | object name | ✓ | The name of anSSH tunnel connection through which network traffic should be routed. |
Example
CREATECONNECTIONtunnelTOSSHTUNNEL(HOST'bastion-host',PORT22,USER'materialize');CREATECONNECTIONpg_connectionTOPOSTGRES(HOST'instance.foo000.us-west-1.rds.amazonaws.com',PORT5432,SSHTUNNELtunnel,DATABASE'postgres');For step-by-step instructions on creating SSH tunnel connections and configuringan SSH bastion server to accept connections from Materialize, checkthis guide.
SQL Server
To enable this feature in your Materialize region,contact our team.
A SQL Server connection establishes a link to a single database of aSQL Server instance. You can use SQL Server connections to createsources.
Syntax
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
HOST | text | ✓ | Database hostname. |
PORT | integer | Default:1433. Port number to connect to at the server host. | |
DATABASE | text | ✓ | Target database. |
USER | text | ✓ | Database username. |
PASSWORD | secret | ✓ | Password for the connection. |
SSL MODE | text | Default:disabled. Enables SSL connections if set torequired,verify_ca, orverify. See theSQL Server documentation for more details. | |
SSL CERTIFICATE AUTHORITY | secret ortext | One or more client SSL certificates in PEM format. |
SSL MODE
disabled - no encryption.required - encryption required, no certificate validation.verify - encryption required, validate server certificate using OS configured CA.verify_ca - encryption required, validate server certificate using provided CA certificates (requiresSSL CERTIFICATE AUTHORITY).
WITH options
| Field | Value | Description |
|---|---|---|
VALIDATE | boolean | Default:true. Whetherconnection validation should be performed on connection creation. |
Example
CREATESECRETsqlserver_passAS'<SQL_SERVER_PASSWORD>';CREATECONNECTIONsqlserver_connectionTOSQLSERVER(HOST'instance.foo000.us-west-1.rds.amazonaws.com',PORT1433,USER'SA',PASSWORDSECRETsqlserver_pass,DATABASE'my_db');Network security connections
AWS PrivateLink
An AWS PrivateLink connection establishes a link to anAWS PrivateLink service.You can use AWS PrivateLink connections inConfluent Schema Registry connections,Kafka connections, andPostgres connections.
Syntax
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
SERVICE NAME | text | ✓ | The name of the AWS PrivateLink service. |
AVAILABILITY ZONES | text[] | ✓ | The IDs of the AWS availability zones in which the service is accessible. |
Permissions
Materialize assigns a unique principal to each AWS PrivateLink connection inyour region using an Amazon Resource Name of thefollowing form:
arn:aws:iam::664411391173:role/mz_<REGION-ID>_<CONNECTION-ID>After creating the connection, you must configure the AWS PrivateLink serviceto accept connections from the AWS principal Materialize will connect as. Theprincipals for AWS PrivateLink connections in your region are stored inthemz_aws_privatelink_connectionssystem table.
SELECT*FROMmz_aws_privatelink_connections; id | principal--------+--------------------------------------------------------------------------- u1 | arn:aws:iam::664411391173:role/mz_20273b7c-2bbe-42b8-8c36-8cc179e9bbc3_u1 u7 | arn:aws:iam::664411391173:role/mz_20273b7c-2bbe-42b8-8c36-8cc179e9bbc3_u7For more details on configuring a trusted principal for your AWS PrivateLink service,see theAWS PrivateLink documentation.
Accepting connection requests
If your AWS PrivateLink service is configured to require acceptance ofconnection requests, you must additionally approve the connection request fromMaterialize after creating the connection. For more details on manuallyaccepting connection requests, see theAWS PrivateLink documentation.
Example
CREATECONNECTIONprivatelink_svcTOAWSPRIVATELINK(SERVICENAME'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc',AVAILABILITYZONES('use1-az1','use1-az4'));SSH tunnel
An SSH tunnel connection establishes a link to an SSH bastion server. You canuse SSH tunnel connections inKafka connections,MySQL connections,andPostgres connections.
Syntax
Connection options
| Field | Value | Required | Description |
|---|---|---|---|
HOST | text | ✓ | The hostname of the SSH bastion server. |
PORT | integer | ✓ | The port to connect to. |
USER | text | ✓ | The name of the user to connect as. |
Key pairs
Materialize automatically manages the key pairs for an SSH tunnel connection.Each connection is associated with two key pairs. The private key for each keypair is stored securely within your region and cannot be retrieved. The publickey for each key pair is stored in themz_ssh_tunnel_connections systemtable.
When Materialize connects to the SSH bastion server, it presents both keys forauthentication. To allow key pair rotation without downtime, you shouldconfigure your SSH bastion server to accept both key pairs. You canthenrotate the key pairs usingALTER CONNECTION.
Materialize currently generates SSH key pairs using theEd25519 algorithm,which is fast, secure, andrecommended by securityprofessionals. Some legacy SSH servers do not support theEd25519 algorithm. You will not be able to use these servers with Materialize’sSSH tunnel connections.
We routinely evaluate the security of the cryptographic algorithms in use inMaterialize. Future versions of Materialize may use a different SSH keygeneration algorithm as security best practices evolve.
Examples
Create an SSH tunnel connection:
CREATECONNECTIONssh_connectionTOSSHTUNNEL(HOST'bastion-host',PORT22,USER'materialize');Retrieve the public keys for the SSH tunnel connection you just created:
SELECTmz_connections.name,mz_ssh_tunnel_connections.*FROMmz_connectionsJOINmz_ssh_tunnel_connectionsUSING(id)WHEREmz_connections.name='ssh_connection'; id | public_key_1 | public_key_2-------+---------------------------------------+--------------------------------------- ... | ssh-ed25519 AAAA...76RH materialize | ssh-ed25519 AAAA...hLYV materializeConnection validation
Materialize automatically validates the connection and authentication parametersfor most connection types on connection creation:
| Connection type | Validated by default |
|---|---|
| AWS | |
| Kafka | ✓ |
| Confluent Schema Registry | ✓ |
| MySQL | ✓ |
| PostgreSQL | ✓ |
| SSH Tunnel | |
| AWS PrivateLink |
For connection types that are validated by default, if the validation stepfails, the creation of the connection will also fail and a validation error isreturned. You can disable connection validation by setting theVALIDATEoption tofalse. This is useful, for example, when the parameters are knownto be correct but the external system is unavailable at the time of creation.
Connection types that require additional setup steps after creation, like AWSand SSH tunnel connections, can bemanually validated using theVALIDATE CONNECTION syntax once all setup steps arecompleted.
Privileges
The privileges required to execute this statement are:
CREATEprivileges on the containing schema.USAGEprivileges on all connections and secrets used in the connection definition.USAGEprivileges on the schemas that all connections and secrets in the statement are contained in.