AWS SNS Destination¶
Stream Keycloak events to Amazon Simple Notification Service (SNS).
| Property | Value |
|---|---|
destination.kind |
aws-sns |
| Protocol | AWS SNS API (SDK) |
Compatible Systems¶
| System | Notes |
|---|---|
| Amazon SNS | Fully managed pub/sub messaging service |
| LocalStack | Local development and testing |
Example Configurations¶
kete.routes.sns.destination.kind=aws-sns
kete.routes.sns.destination.topic=keycloak-events
kete.routes.sns.destination.region=us-east-1
kete.routes.sns.destination.account-id=123456789012
kete.routes.sns.destination.authentication-type=access-key
kete.routes.sns.destination.access-key-id=AKIAIOSFODNN7EXAMPLE
kete.routes.sns.destination.secret-access-key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Features¶
- AWS SNS SDK integration with automatic credential resolution
- Standard and FIFO topic support
- Topic name templating with variables
- Custom message attributes
- Optional message subject
- Message group ID and deduplication ID for FIFO topics
- LocalStack emulator support for local development
- Multiple authentication modes (access key, instance metadata, credentials file, environment variables, default chain, web identity token)
- TLS/mTLS support
Configuration Properties¶
Required Properties¶
| Property | Description | Example |
|---|---|---|
destination.kind |
Must be aws-sns |
aws-sns |
destination.topic |
Topic name (supports templating) | keycloak-events |
Optional Properties¶
| Property | Default | Description | Example |
|---|---|---|---|
destination.region |
(from env) | AWS region (falls back to AWS_REGION / AWS_DEFAULT_REGION) |
us-east-1 |
destination.account-id |
(required for real AWS) | AWS account ID | 123456789012 |
destination.endpoint-url |
(empty) | Custom endpoint URL (for LocalStack or VPC endpoints) | http://localstack:4566 |
destination.authentication-type |
(empty) | Authentication type (see EventBridge Authentication) | access-key |
destination.access-key-id |
(empty) | AWS access key ID (required when authentication-type=access-key) |
AKIAIOSFODNN7EXAMPLE |
destination.secret-access-key |
(empty) | AWS secret access key (required when authentication-type=access-key) |
wJalrXUtn... |
destination.credentials-file-path |
(empty) | Path to AWS credentials file | /path/to/credentials |
destination.credentials-file-text |
(empty) | AWS credentials file content inline | [default]\naws_access_key_id=... |
destination.credentials-file-base64 |
(empty) | Base64-encoded AWS credentials file | W2RlZmF1bHRd... |
destination.credentials-profile |
default |
Profile name within credentials file | production |
destination.timeout-seconds |
10 |
HTTP connect and request timeout in seconds | 30 |
destination.subject |
(empty) | SNS message subject | KeycloakEvent |
destination.message-group-id |
(empty) | Message group ID (required for FIFO topics) | keycloak |
destination.message-deduplication-id |
(empty) | Message deduplication ID for FIFO topics | ${eventTypeLowerCase} |
Dynamic Topic Name (Templating)¶
The topic property supports template variables:
Available variables: ${realmLowerCase}, ${realmUpperCase}, ${realmKebabCase}, ${realmPascalCase}, ${realmCamelCase}, ${eventTypeLowerCase}, ${eventTypeUpperCase}, ${eventTypeKebabCase}, ${eventTypePascalCase}, ${eventTypeCamelCase}, ${kindLowerCase}, ${kindUpperCase}, ${kindKebabCase}, ${kindPascalCase}, ${kindCamelCase}, ${resourceTypeLowerCase}, ${resourceTypeUpperCase}, ${resourceTypeKebabCase}, ${resourceTypePascalCase}, ${resourceTypeCamelCase}, ${operationTypeLowerCase}, ${operationTypeUpperCase}, ${operationTypeKebabCase}, ${operationTypePascalCase}, ${operationTypeCamelCase}, ${resultLowerCase}, ${resultUpperCase}, ${resultKebabCase}, ${resultPascalCase}, ${resultCamelCase}
Custom Attributes¶
Custom message attributes can be added:
kete.routes.sns.destination.attributes.Source=keycloak
kete.routes.sns.destination.attributes.Environment=production
Custom Headers¶
Custom headers are also included as SNS message attributes:
kete.routes.sns.destination.headers.X-Source=keycloak
kete.routes.sns.destination.headers.X-Environment=production
Both attributes.* and headers.* entries are sent as SNS message attributes. On key conflict, headers.* values take precedence.
Authentication¶
AWS SNS uses the AWS SDK credential provider chain. See AWS EventBridge Authentication for the full list of authentication methods — they are identical across all AWS destinations.
TLS Properties¶
See TLS & mTLS for full details on TLS options.
| Property | Default | Description |
|---|---|---|
destination.tls.enabled |
false |
Enable TLS |
destination.tls.key-store.* |
- | Client certificate for mTLS |
destination.tls.trust-store.* |
- | CA certificates |
Configuration Examples¶
Example 1: Production Setup¶
kete.routes.prod.destination.kind=aws-sns
kete.routes.prod.realm-matchers.realm=list:master
kete.routes.prod.event-matchers.filter=glob:*
kete.routes.prod.destination.topic=keycloak-events
kete.routes.prod.destination.region=us-east-1
kete.routes.prod.destination.account-id=123456789012
kete.routes.prod.destination.authentication-type=access-key
kete.routes.prod.destination.access-key-id=AKIAIOSFODNN7EXAMPLE
kete.routes.prod.destination.secret-access-key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Example 2: FIFO Topic with Subject¶
kete.routes.fifo.destination.kind=aws-sns
kete.routes.fifo.destination.topic=keycloak-events.fifo
kete.routes.fifo.destination.region=us-east-1
kete.routes.fifo.destination.account-id=123456789012
kete.routes.fifo.destination.subject=KeycloakEvent
kete.routes.fifo.destination.message-group-id=keycloak
Example 3: Local Development with LocalStack¶
kete.routes.local.destination.kind=aws-sns
kete.routes.local.realm-matchers.realm=list:master
kete.routes.local.destination.topic=keycloak-events
kete.routes.local.destination.region=us-east-1
kete.routes.local.destination.endpoint-url=http://localstack:4566
Quick Starts¶
| Quick Start | Description |
|---|---|
| aws-sns-emulator | LocalStack Emulator (local) |
| aws-sns | Real AWS SNS |
See Also¶
- AWS SQS Destination — Message queuing
- AWS Kinesis Destination — Real-time data streaming
- AWS EventBridge Destination — Serverless event routing
- Serializers
- Matchers
- Event Types
- Certificate Loaders