How to encrypt fluentd SQL plugin password?

Question

Because of security reasons, we can't keep SQL authentication in plain text, is there a way to hide or encrypt passwords?

I am getting bad documentation and bad support from the plugin site. Unfortunately I can't keep this data in environment variables.

GitHub link: https://github.com/fluent/fluent-plugin-sql

<source>
  @type sql
  @id output_sql
  host "sqlserverhost.aws_region.rds.amazonaws.com"
  database db_name
  adapter sqlserver
  username user
  password pwd   ==============================>>>> This is in plain text
  tag_prefix myrdb # optional, but recommended
  select_interval 60s # optional
  select_limit 500 # optional
  state_file /var/run/fluentd/sql_state
  <table>
    table tbl_name
    update_column insert_timestamp
  </table>
</source>

<match **>
  @type stdout
</match>

Answer 1

I recommend adding the SQL plugin password into your config/credentials.yml.enc which should be able to be accessed as an environmental variable.

unencrypted config/credentials.yml.enc

fluentd:
    password: yourpassword

Then when you need to access the password

Rails.application.credentials.fluentd[:password] 

See more about encryption of secrets and its workflow in this guide: https://blog.corsego.com/ruby-on-rails-6-credentials-full

Edit

Responding to this part of your question:

Unfortunately I can't keep this data in environment variables.

I would advocate for using environment variables but perhaps you could provide additional insight on why that solution would not fit your use case.

There is a compelling conversation on an another Stack Overflow question:

Is it secure to store passwords as environment variables (rather than as plain text) in config files?