= nats_kv
:type: processor
:status: beta
:categories: ["Services"]



////
     THIS FILE IS AUTOGENERATED!

     To make changes, edit the corresponding source file under:

     https://github.com/redpanda-data/connect/tree/main/internal/impl/<provider>.

     And:

     https://github.com/redpanda-data/connect/tree/main/cmd/tools/docs_gen/templates/plugin.adoc.tmpl
////

// © 2024 Redpanda Data Inc.


component_type_dropdown::[]


Perform operations on a NATS key-value bucket.

Introduced in version 4.12.0.


[tabs]
======
Common::
+
--

```yml
# Common config fields, showing default values
label: ""
nats_kv:
  urls: [] # No default (required)
  bucket: my_kv_bucket # No default (required)
  operation: "" # No default (required)
  key: foo # No default (required)
```

--
Advanced::
+
--

```yml
# All config fields, showing default values
label: ""
nats_kv:
  urls: [] # No default (required)
  bucket: my_kv_bucket # No default (required)
  operation: "" # No default (required)
  key: foo # No default (required)
  revision: "42" # No default (optional)
  timeout: 5s
  tls:
    enabled: false
    skip_cert_verify: false
    enable_renegotiation: false
    root_cas: ""
    root_cas_file: ""
    client_certs: []
  auth:
    nkey_file: ./seed.nk # No default (optional)
    nkey: '!!!SECRET_SCRUBBED!!!' # No default (optional)
    user_credentials_file: ./user.creds # No default (optional)
    user_jwt: "" # No default (optional)
    user_nkey_seed: "" # No default (optional)
```

--
======

== KV operations

The NATS KV processor supports a multitude of KV operations via the <<operation>> field. Along with `get`, `put`, and `delete`, this processor supports atomic operations like `update` and `create`, as well as utility operations like `purge`, `history`, and `keys`.

== Metadata

This processor adds the following metadata fields to each message, depending on the chosen `operation`:

=== get, get_revision
``` text
- nats_kv_key
- nats_kv_bucket
- nats_kv_revision
- nats_kv_delta
- nats_kv_operation
- nats_kv_created
```

=== create, update, delete, purge
``` text
- nats_kv_key
- nats_kv_bucket
- nats_kv_revision
- nats_kv_operation
```

=== keys
``` text
- nats_kv_bucket
```

== Connection name

When monitoring and managing a production NATS system, it is often useful to
know which connection a message was send/received from. This can be achieved by
setting the connection name option when creating a NATS connection.

Benthos will automatically set the connection name based off the label of the given
NATS component, so that monitoring tools between NATS and Benthos can stay in sync.


== Authentication

There are several components within Benthos which uses NATS services. You will find that each of these components
support optional advanced authentication parameters for https://docs.nats.io/nats-server/configuration/securing_nats/auth_intro/nkey_auth[NKeys^]
and https://docs.nats.io/using-nats/developer/connecting/creds[User Credentials^].

See an https://docs.nats.io/running-a-nats-service/nats_admin/security/jwt[in-depth tutorial^].

=== NKey file

The NATS server can use these NKeys in several ways for authentication. The simplest is for the server to be configured
with a list of known public keys and for the clients to respond to the challenge by signing it with its private NKey
configured in the `nkey_file` or `nkey` field.

https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/nkey_auth[More details^].

=== User credentials

NATS server supports decentralized authentication based on JSON Web Tokens (JWT). Clients need an https://docs.nats.io/nats-server/configuration/securing_nats/jwt#json-web-tokens[user JWT^]
and a corresponding https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/nkey_auth[NKey secret^] when connecting to a server
which is configured to use this authentication scheme.

The `user_credentials_file` field should point to a file containing both the private key and the JWT and can be
generated with the https://docs.nats.io/nats-tools/nsc[nsc tool^].

Alternatively, the `user_jwt` field can contain a plain text JWT and the `user_nkey_seed`can contain
the plain text NKey Seed.

https://docs.nats.io/using-nats/developer/connecting/creds[More details^].

== Fields

=== `urls`

A list of URLs to connect to. If an item of the list contains commas it will be expanded into multiple URLs.


*Type*: `array`


```yml
# Examples

urls:
  - nats://127.0.0.1:4222

urls:
  - nats://username:password@127.0.0.1:4222
```

=== `bucket`

The name of the KV bucket.


*Type*: `string`


```yml
# Examples

bucket: my_kv_bucket
```

=== `operation`

The operation to perform on the KV bucket.


*Type*: `string`


|===
| Option | Summary

| `create`
| Adds the key/value pair if it does not exist. Returns an error if it already exists.
| `delete`
| Deletes the key/value pair, but keeps historical values.
| `get`
| Returns the latest value for `key`.
| `get_revision`
| Returns the value of `key` for the specified `revision`.
| `history`
| Returns historical values of `key` as an array of objects containing the following fields: `key`, `value`, `bucket`, `revision`, `delta`, `operation`, `created`.
| `keys`
| Returns the keys in the `bucket` which match the `keys_filter` as an array of strings.
| `purge`
| Deletes the key/value pair and all historical values.
| `put`
| Places a new value for the key into the store.
| `update`
| Updates the value for `key` only if the `revision` matches the latest revision.

|===

=== `key`

The key for each message. Supports https://docs.nats.io/nats-concepts/subjects#wildcards[wildcards^] for the `history` and `keys` operations.
This field supports xref:configuration:interpolation.adoc#bloblang-queries[interpolation functions].


*Type*: `string`


```yml
# Examples

key: foo

key: foo.bar.baz

key: foo.*

key: foo.>

key: foo.${! json("meta.type") }
```

=== `revision`

The revision of the key to operate on. Used for `get_revision` and `update` operations.
This field supports xref:configuration:interpolation.adoc#bloblang-queries[interpolation functions].


*Type*: `string`


```yml
# Examples

revision: "42"

revision: ${! @nats_kv_revision }
```

=== `timeout`

The maximum period to wait on an operation before aborting and returning an error.


*Type*: `string`

*Default*: `"5s"`

=== `tls`

Custom TLS settings can be used to override system defaults.


*Type*: `object`


=== `tls.enabled`

Whether custom TLS settings are enabled.


*Type*: `bool`

*Default*: `false`

=== `tls.skip_cert_verify`

Whether to skip server side certificate verification.


*Type*: `bool`

*Default*: `false`

=== `tls.enable_renegotiation`

Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you're seeing the error message `local error: tls: no renegotiation`.


*Type*: `bool`

*Default*: `false`
Requires version 3.45.0 or newer

=== `tls.root_cas`

An optional root certificate authority to use. This is a string, representing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.
[CAUTION]
====
This field contains sensitive information that usually shouldn't be added to a config directly, read our xref:configuration:secrets.adoc[secrets page for more info].
====



*Type*: `string`

*Default*: `""`

```yml
# Examples

root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
```

=== `tls.root_cas_file`

An optional path of a root certificate authority file to use. This is a file, often with a .pem extension, containing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.


*Type*: `string`

*Default*: `""`

```yml
# Examples

root_cas_file: ./root_cas.pem
```

=== `tls.client_certs`

A list of client certificates to use. For each certificate either the fields `cert` and `key`, or `cert_file` and `key_file` should be specified, but not both.


*Type*: `array`

*Default*: `[]`

```yml
# Examples

client_certs:
  - cert: foo
    key: bar

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key
```

=== `tls.client_certs[].cert`

A plain text certificate to use.


*Type*: `string`

*Default*: `""`

=== `tls.client_certs[].key`

A plain text certificate key to use.
[CAUTION]
====
This field contains sensitive information that usually shouldn't be added to a config directly, read our xref:configuration:secrets.adoc[secrets page for more info].
====



*Type*: `string`

*Default*: `""`

=== `tls.client_certs[].cert_file`

The path of a certificate to use.


*Type*: `string`

*Default*: `""`

=== `tls.client_certs[].key_file`

The path of a certificate key to use.


*Type*: `string`

*Default*: `""`

=== `tls.client_certs[].password`

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete `pbeWithMD5AndDES-CBC` algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.
[CAUTION]
====
This field contains sensitive information that usually shouldn't be added to a config directly, read our xref:configuration:secrets.adoc[secrets page for more info].
====



*Type*: `string`

*Default*: `""`

```yml
# Examples

password: foo

password: ${KEY_PASSWORD}
```

=== `auth`

Optional configuration of NATS authentication parameters.


*Type*: `object`


=== `auth.nkey_file`

An optional file containing a NKey seed.


*Type*: `string`


```yml
# Examples

nkey_file: ./seed.nk
```

=== `auth.nkey`

The NKey seed.
[CAUTION]
====
This field contains sensitive information that usually shouldn't be added to a config directly, read our xref:configuration:secrets.adoc[secrets page for more info].
====



*Type*: `string`

Requires version 4.38.0 or newer

```yml
# Examples

nkey: UDXU4RCSJNZOIQHZNWXHXORDPRTGNJAHAHFRGZNEEJCPQTT2M7NLCNF4
```

=== `auth.user_credentials_file`

An optional file containing user credentials which consist of an user JWT and corresponding NKey seed.


*Type*: `string`


```yml
# Examples

user_credentials_file: ./user.creds
```

=== `auth.user_jwt`

An optional plain text user JWT (given along with the corresponding user NKey Seed).
[CAUTION]
====
This field contains sensitive information that usually shouldn't be added to a config directly, read our xref:configuration:secrets.adoc[secrets page for more info].
====



*Type*: `string`


=== `auth.user_nkey_seed`

An optional plain text user NKey Seed (given along with the corresponding user JWT).
[CAUTION]
====
This field contains sensitive information that usually shouldn't be added to a config directly, read our xref:configuration:secrets.adoc[secrets page for more info].
====



*Type*: `string`