Apache Kafka
Apache Software Foundationmiddleware3 credentials
SASL PLAIN / SCRAM Password
apache-kafka / sasl-plain-scram-password
Kafka supports SASL authentication mechanisms including PLAIN and SCRAM. Broker and client JAAS configuration often contains usernames and passwords for inter-broker, producer, consumer, and admin authentication.
Looks like
patternorg\.apache\.kafka\.common\.security\.(?:plain|scram)\.[A-Za-z]+LoginModule\s+required[^;]*(?:username|password)=\"[^\"\r\n]+\"Location
server.properties, client.properties, jaas.conf, kafka_server_jaas.confKafka broker and client SASL/JAAS configuration
KAFKA_OPTS, KAFKA_SASL_USERNAME, KAFKA_SASL_PASSWORD, SASL_JAAS_CONFIGKubernetes Secrets, cloud secret managers, CI/CD variables, and Kafka platform secrets
deployment manifests, Helm values, integration tests, and committed client configs
broker startup logs, client debug output, and CI traces
Kafka broker listenersNotes
Kafka user/password semantics depend on the SASL mechanism and backing identity store. SCRAM credentials may be stored in Kafka metadata.
SSL Keystore / Truststore Password
apache-kafka / ssl-keystore-password
Kafka TLS configuration uses keystore and truststore locations and passwords for brokers and clients. These protect private keys and trust material used for encrypted and mutual TLS connections.
Looks like
patternssl\.(?:key|trust)store\.password\s*=\s*[^\r\n]+ssl\.key\.password\s*=\s*[^\r\n]+Location
server.properties, client.properties, connect-distributed.propertiesKafka broker, client, and Kafka Connect TLS configuration
Java keystores, Kubernetes Secrets, cloud secret managers, and deployment vaults
committed client configs, Helm values, and container build contexts
broker or client images containing keystores and config files
startup logs and SSL troubleshooting output
Notes
Keystore passwords may unlock broker or client private keys used for TLS authentication.
Kafka Connect Connector Secret
apache-kafka / connect-connector-secret
Kafka Connect connector configurations frequently include passwords, tokens, and API keys for source and sink systems. These connector secrets are separate from Kafka broker authentication but are stored in Kafka Connect configuration and offsets/status workflows.
Location
connector JSON/properties files, connect-distributed.properties, and worker config
Kafka Connect REST API responses containing connector configs when secrets are not masked
ConfigProvider backends, Kubernetes Secrets, cloud secret managers, and CI/CD variables
connector repositories, tests, and committed connector definitions
connector task logs and REST API traces
Notes
Connector secrets can grant access to databases, cloud stores, queues, and SaaS systems even when Kafka itself is not compromised.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.