Azure Storage Queue Destination¶
Stream Keycloak events to Azure Storage Queue.
| Property | Value |
|---|---|
destination.kind |
azure-storage-queue |
| Protocol | Azure Storage Queue REST API |
Compatible Systems¶
| System | Notes |
|---|---|
| Azure Storage Queue | Fully managed cloud queue service |
| Azurite Emulator | Local development and testing |
Example Configurations¶
kete.routes.asq.destination.kind=azure-storage-queue
kete.routes.asq.destination.connection-string=DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;QueueEndpoint=http://azurite:10001/devstoreaccount1
kete.routes.asq.destination.queue=keycloak-events
Features¶
- Azure Storage Queue SDK integration
- Authentication via connection string, Managed Identity, or Default Azure Credential
- Emulator support via Azurite for local development and testing
- Queue name templating with variables
- Configurable message TTL
- Messages encoded as Base64
- TLS/mTLS support
Configuration Properties¶
Required Properties¶
| Property | Description | Example |
|---|---|---|
destination.kind |
Must be azure-storage-queue |
azure-storage-queue |
destination.connection-string |
Azure Storage connection string (required unless using authentication-type) |
DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...;EndpointSuffix=core.windows.net |
destination.queue |
Queue name (supports templating) | keycloak-events |
Optional Properties¶
| Property | Default | Description | Example |
|----------|---------|-------------|---------|| destination.endpoint | (empty) | Storage account queue endpoint (required for managed-identity / default-azure-credential auth) | https://mystorageaccount.queue.core.windows.net |
| destination.authentication-type | (empty) | Authentication method: connection-string, managed-identity, default-azure-credential | managed-identity |
| destination.managed-identity-client-id | (empty) | Client ID for user-assigned managed identity | your-client-id || destination.message-ttl | 0 | Message TTL in seconds (0 = Azure default 7 days, -1 = no expiry) | 3600 |
| destination.timeout-seconds | 10 | HTTP connect and request timeout in seconds | 30 |
Dynamic Queue Name (Templating)¶
The queue property supports template variables:
# Dynamic queue per realm
kete.routes.asq.destination.queue=keycloak-events-${realmLowerCase}
# Dynamic queue per event type
kete.routes.asq.destination.queue=keycloak-${eventTypeLowerCase}
Available variables: ${realmLowerCase}, ${realmUpperCase}, ${realmKebabCase}, ${realmPascalCase}, ${realmCamelCase}, ${eventTypeLowerCase}, ${eventTypeUpperCase}, ${eventTypeKebabCase}, ${eventTypePascalCase}, ${eventTypeCamelCase}, ${kindLowerCase}, ${kindUpperCase}, ${kindKebabCase}, ${kindPascalCase}, ${kindCamelCase}, ${resourceTypeLowerCase}, ${resourceTypeUpperCase}, ${resourceTypeKebabCase}, ${resourceTypePascalCase}, ${resourceTypeCamelCase}, ${operationTypeLowerCase}, ${operationTypeUpperCase}, ${operationTypeKebabCase}, ${operationTypePascalCase}, ${operationTypeCamelCase}, ${resultLowerCase}, ${resultUpperCase}, ${resultKebabCase}, ${resultPascalCase}, ${resultCamelCase}
Authentication¶
Authentication can be configured via connection-string (default) or via authentication-type for managed identity scenarios.
authentication-type |
Description | Required Properties |
|---|---|---|
connection-string |
Connection string auth (default when connection-string is set) |
connection-string |
managed-identity |
Azure Managed Identity | endpoint, optionally managed-identity-client-id |
default-azure-credential |
Azure Default Credential chain | endpoint |
Connection String (Default)¶
When no authentication-type is set, the connection-string property is required:
# Standard Azure connection string
DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=your-key;EndpointSuffix=core.windows.net
# With explicit QueueEndpoint
AccountName=myaccount;AccountKey=your-key;QueueEndpoint=https://myaccount.queue.core.windows.net
SAS Token Connection String¶
# SAS with explicit endpoint
QueueEndpoint=https://myaccount.queue.core.windows.net;SharedAccessSignature=sv=2024-08-04&ss=q&srt=sco&sp=wau&se=...&sig=...
# SAS with account name (endpoint derived)
AccountName=myaccount;SharedAccessSignature=sv=2024-08-04&ss=q&sig=...
Managed Identity¶
kete.routes.asq.destination.authentication-type=managed-identity
kete.routes.asq.destination.endpoint=https://mystorageaccount.queue.core.windows.net
kete.routes.asq.destination.queue=keycloak-events
# Optionally specify client ID for user-assigned managed identity:
# kete.routes.asq.destination.managed-identity-client-id=your-client-id
Default Azure Credential¶
kete.routes.asq.destination.authentication-type=default-azure-credential
kete.routes.asq.destination.endpoint=https://mystorageaccount.queue.core.windows.net
kete.routes.asq.destination.queue=keycloak-events
The SAS token is appended as query parameters to each request. No signing is needed.
Emulator Mode
When using Azurite, use the well-known Azurite development connection string with an explicit QueueEndpoint pointing to the emulator:
TLS Properties¶
See TLS & mTLS for full details on TLS options.
| Property | Default | Description |
|---|---|---|
destination.tls.enabled |
false |
Enable TLS |
destination.tls.key-store.* |
- | Client certificate for mTLS |
destination.tls.trust-store.* |
- | CA certificates |
Azure Storage Queue TLS
When connecting to the real Azure Storage Queue service, TLS is handled via HTTPS by default — no explicit TLS configuration needed. TLS properties are useful when connecting through a proxy, private endpoint, or custom emulator configuration.
Configuration Examples¶
Example 1: Production Setup¶
kete.routes.prod.destination.kind=azure-storage-queue
kete.routes.prod.realm-matchers.realm=list:master
kete.routes.prod.event-matchers.filter=glob:*
kete.routes.prod.destination.connection-string=DefaultEndpointsProtocol=https;AccountName=prodstorageaccount;AccountKey=your-production-account-key;EndpointSuffix=core.windows.net
kete.routes.prod.destination.queue=keycloak-events
kete.routes.prod.destination.message-ttl=86400
kete.routes.prod.destination.timeout-seconds=30
Example 2: Per-Realm Queues¶
# Route events to different queues per realm
kete.routes.events.destination.kind=azure-storage-queue
kete.routes.events.destination.connection-string=DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=your-key;EndpointSuffix=core.windows.net
kete.routes.events.destination.queue=keycloak-${realmLowerCase}-events
Example 3: Local Development with Azurite¶
kete.routes.local.destination.kind=azure-storage-queue
kete.routes.local.realm-matchers.realm=list:master
kete.routes.local.event-matchers.filter=glob:*
kete.routes.local.destination.connection-string=DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;QueueEndpoint=http://localhost:10001/devstoreaccount1
kete.routes.local.destination.queue=keycloak-events
Example 4: Connection String from Environment Variable¶
kete.routes.env.destination.kind=azure-storage-queue
kete.routes.env.realm-matchers.realm=list:master
kete.routes.env.event-matchers.filter=glob:*
kete.routes.env.destination.connection-string=${AZURE_STORAGE_CONNECTION_STRING}
kete.routes.env.destination.queue=keycloak-events
Quick Starts¶
| Quick Start | Description |
|---|---|
| azure-storage-queue | Azure Storage Queue (real cloud) |
| azure-storage-queue-emulator | Azurite Emulator (local) |
See Also¶
- Serializers - Choose JSON, YAML, CBOR, Properties, etc.
- Matchers - Filter events by realm, type, resource, operation
- Event Types - List of all event types
- Certificate Loaders - For TLS configuration