# AWS MSK - Kafka repository

In [None]:
https://github.com/aws/aws-msk-iam-sasl-signer-python/tree/main

In [None]:
aws-msk-iam-sasl-signer-python/
├── README.md                       # Project overview and usage instructions
├── LICENSE                         # License for the project
├── setup.py                        # Script to install the package
├── requirements.txt                # Python dependencies
├── .gitignore                      # Files and directories to ignore in Git
├── .github/                        # GitHub-specific configuration files
│   ├── ISSUE_TEMPLATE/
│   │   ├── bug_report.md           # Template for reporting bugs
│   │   └── feature_request.md      # Template for requesting features
│   └── workflows/
│       ├── ci.yml                  # Continuous integration workflow
│       └── codeql-analysis.yml     # GitHub code scanning configuration
├── docs/                           # Documentation files
│   ├── index.md                    # Index of the documentation
│   ├── installation.md             # Installation guide
│   └── usage.md                    # Usage instructions
├── src/                            # Source code directory
│   └── aws_msk_iam_sasl_signer/
│       ├── __init__.py             # Package initializer
│       ├── signer.py               # IAM SASL signer implementation
│       ├── utils.py                # Utility functions for the signer
│       ├── credentials_manager.py  # Manages AWS credentials
│       ├── errors.py               # Custom error definitions
│       └── config.py               # Configuration settings for the package
├── tests/                          # Unit tests
│   ├── __init__.py                 # Test package initializer
│   ├── test_signer.py              # Tests for signer.py
│   ├── test_utils.py               # Tests for utils.py
│   ├── test_credentials_manager.py # Tests for credentials_manager.py
│   └── conftest.py                 # Fixtures and test configuration
├── examples/                       # Example usage scripts
│   ├── example_signing.py          # Example of using the IAM SASL signer
│   ├── example_config.py           # Example configuration script
│   └── README.md                   # Documentation for examples
├── scripts/                        # Auxiliary scripts
│   ├── deploy.sh                   # Deployment script
│   ├── generate_docs.sh            # Script to generate documentation
│   └── setup_env.sh                # Script to set up the environment
└── .vscode/                        # VS Code specific settings
    ├── settings.json               # VS Code settings for the project
    └── launch.json                 # Debug configuration


# .vscode/settings.json

This file is used to define editor-specific settings for Visual Studio Code, such as formatting, linting, and environment variables.

In [None]:
{
    "python.pythonPath": "venv/bin/python",         // Path to the Python interpreter
    "python.linting.enabled": true,                 // Enable linting
    "python.linting.pylintEnabled": true,           // Enable pylint
    "python.linting.pylintArgs": ["--disable=C0114,C0115,C0116"],  // Disable specific linting warnings (missing module, class, and function docstrings)
    "python.formatting.provider": "black",          // Use Black for code formatting
    "python.testing.pytestEnabled": true,           // Enable Pytest as the test framework
    "python.testing.unittestEnabled": false,        // Disable Unittest framework
    "editor.formatOnSave": true,                    // Format code on save
    "editor.codeActionsOnSave": {
        "source.fixAll": true                       // Apply all auto-fixes on save
    },
    "python.envFile": "${workspaceFolder}/.env",    // Path to environment variables file
    "files.exclude": {
        "**/__pycache__": true,                     // Hide __pycache__ directories
        "**/*.pyc": true                            // Hide .pyc files
    }
}


# .vscode/launch.json
This file is used to configure how the project is launched for debugging.

In [None]:
{
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Python: Test Signer Module",
            "type": "python",
            "request": "launch",
            "program": "${workspaceFolder}/src/aws_msk_iam_sasl_signer/signer.py",  // Path to the main module for debugging
            "console": "integratedTerminal",
            "envFile": "${workspaceFolder}/.env",    // Load environment variables
            "args": ["--debug"],                     // Additional arguments to pass to the script
            "justMyCode": true                       // Only debug user code, not libraries
        },
        {
            "name": "Python: Run Unit Tests",
            "type": "python",
            "request": "launch",
            "program": "${workspaceFolder}/tests",   // Run all tests
            "console": "integratedTerminal",
            "envFile": "${workspaceFolder}/.env",    // Load environment variables
            "args": ["-v"],                          // Verbose mode for testing
            "justMyCode": true                       // Only debug user code, not libraries
        },
        {
            "name": "Python: Debug Example Script",
            "type": "python",
            "request": "launch",
            "program": "${workspaceFolder}/examples/example_signing.py",  // Path to the example script
            "console": "integratedTerminal",
            "envFile": "${workspaceFolder}/.env",    // Load environment variables
            "args": [],                              // No additional arguments
            "justMyCode": true                       // Only debug user code, not libraries
        }
    ]
}


# scripts/deploy.sh
This script automates the deployment process of the application. It might include commands to build the project, run tests, package the application, and push it to a server or cloud service.

In [None]:
#!/bin/bash

# Exit immediately if a command exits with a non-zero status
set -e

# Build the project
echo "Building the project..."
python setup.py sdist bdist_wheel

# Run tests
echo "Running tests..."
pytest

# Deploy to the server or cloud
echo "Deploying to server..."
# Example deployment command
# scp dist/* user@server:/path/to/deployment

echo "Deployment complete!"


# scripts/generate_docs.sh
This script generates documentation for the project, often using tools like Sphinx or MkDocs.

In [None]:
#!/bin/bash

# Exit immediately if a command exits with a non-zero status
set -e

# Generate Sphinx documentation
echo "Generating documentation..."
sphinx-build -b html docs/source/ docs/build/html

echo "Documentation generated at docs/build/html"


# scripts/setup_env.sh
This script sets up the development environment, such as creating a virtual environment, installing dependencies, and setting up environment variables.

In [None]:
#!/bin/bash

# Exit immediately if a command exits with a non-zero status
set -e

# Create a virtual environment
echo "Creating virtual environment..."
python3 -m venv venv

# Activate the virtual environment
echo "Activating virtual environment..."
source venv/bin/activate

# Install dependencies
echo "Installing dependencies..."
pip install -r requirements.txt

# Set environment variables
echo "Setting environment variables..."
export APP_ENV=development

echo "Environment setup complete!"


# examples/example_signing.py
This script provides a practical example of how to use the IAM SASL signer within your project. It demonstrates how to initialize the signer, configure it with the necessary AWS credentials, and perform the signing operation.

In [None]:
from aws_msk_iam_sasl_signer import Signer

# Example configuration
aws_region = "us-east-1"
broker_hostname = "broker.example.com"
user_name = "IAMUser"

# Initialize the signer
signer = Signer(aws_region=aws_region, broker_hostname=broker_hostname, user_name=user_name)

# Perform signing
signature = signer.sign()

# Print the generated signature
print("Generated Signature:", signature)


# examples/example_config.py
This script illustrates how to configure the IAM SASL signer with different settings or environment variables. It might show how to dynamically adjust the signer's configuration based on different environments or user inputs.

In [None]:
import os
from aws_msk_iam_sasl_signer import Signer

# Set environment variables for configuration
os.environ['AWS_REGION'] = "us-west-2"
os.environ['BROKER_HOSTNAME'] = "broker.example.com"
os.environ['USER_NAME'] = "IAMUser"

# Initialize the signer using environment variables
signer = Signer()

# Perform signing
signature = signer.sign()

# Print the generated signature
print("Generated Signature:", signature)


# examples/README.md
This file provides documentation specific to the examples in this directory. It typically includes instructions on how to run the example scripts, what each script demonstrates, and any prerequisites or setup steps needed to run them.

In [None]:
# Examples for aws-msk-iam-sasl-signer-python

This directory contains example scripts demonstrating how to use the `aws-msk-iam-sasl-signer` package.

## Available Scripts

- **example_signing.py**: Shows how to use the IAM SASL signer to generate a signature.
- **example_config.py**: Demonstrates how to configure the signer using environment variables.

## Running the Examples

1. Ensure you have set up your environment correctly, including installing dependencies:

   ```bash
   pip install -r requirements.txt


# src/aws_msk_iam_sasl_signer/__init__.py
This file initializes the aws_msk_iam_sasl_signer package, making it importable as a module. It can also be used to expose certain classes or functions at the package level.

In [None]:
# __init__.py

from .signer import Signer
from .config import Config
from .errors import SignerError

__all__ = ['Signer', 'Config', 'SignerError']


# src/aws_msk_iam_sasl_signer/signer.py
This file contains the implementation of the IAM SASL signer. The Signer class is responsible for generating signatures needed for authenticating with AWS Managed Streaming for Apache Kafka (MSK) using IAM.

In [None]:
import boto3
import hashlib
import hmac

class Signer:
    def __init__(self, aws_region, broker_hostname, user_name):
        self.aws_region = aws_region
        self.broker_hostname = broker_hostname
        self.user_name = user_name
        self.credentials_manager = CredentialsManager()

    def sign(self):
        # Example logic for generating a signature
        credentials = self.credentials_manager.retrieve_credentials()
        string_to_sign = f"{self.broker_hostname}:{self.user_name}"
        signature = hmac.new(
            credentials['SecretAccessKey'].encode(),
            string_to_sign.encode(),
            hashlib.sha256
        ).hexdigest()
        return signature


# src/aws_msk_iam_sasl_signer/utils.py
This file includes utility functions that support the operations of the signer.py and other modules within the package. These functions might handle tasks like formatting strings, handling date-time conversions, or other common operations.

In [None]:
def some_utility_function(value):
    # Example utility function
    return value.upper()

def another_utility_function(number):
    # Another utility function example
    return number * 2


# src/aws_msk_iam_sasl_signer/credentials_manager.py
This file contains the CredentialsManager class, responsible for managing and retrieving AWS credentials required by the signer. It may handle refreshing tokens, fetching credentials from the environment or AWS SDK, and ensuring the credentials are valid.

In [None]:
import boto3

class CredentialsManager:
    def __init__(self):
        self.client = boto3.client('sts')

    def retrieve_credentials(self):
        # Example logic for retrieving AWS credentials
        response = self.client.get_session_token()
        credentials = response['Credentials']
        return {
            'AccessKeyId': credentials['AccessKeyId'],
            'SecretAccessKey': credentials['SecretAccessKey'],
            'SessionToken': credentials['SessionToken']
        }


# src/aws_msk_iam_sasl_signer/errors.py
This file defines custom error classes for the package. These errors are used to handle specific exceptions that might occur within the package, such as invalid credentials or signing failures.

In [None]:
class SignerError(Exception):
    """Base class for exceptions in this module."""
    pass

class InvalidCredentialsError(SignerError):
    """Exception raised for invalid AWS credentials."""
    def __init__(self, message="Invalid AWS credentials provided"):
        self.message = message
        super().__init__(self.message)


# src/aws_msk_iam_sasl_signer/config.py
This file contains configuration settings for the package, such as default values for certain parameters, environment variable handling, or other configurations that the Signer and other classes might use.

In [None]:
import os

class Config:
    def __init__(self):
        self.aws_region = os.getenv('AWS_REGION', 'us-east-1')
        self.broker_hostname = os.getenv('BROKER_HOSTNAME', 'broker.example.com')
        self.user_name = os.getenv('USER_NAME', 'IAMUser')

    def load(self):
        # Example method to load configuration
        return {
            'aws_region': self.aws_region,
            'broker_hostname': self.broker_hostname,
            'user_name': self.user_name
        }


# docs/index.md
This file serves as the index or homepage of the documentation. It typically provides an overview of the project, outlines its purpose, and links to other sections of the documentation, such as installation and usage instructions.

In [None]:
# AWS MSK IAM SASL Signer Python

Welcome to the documentation for the AWS MSK IAM SASL Signer Python package. This package allows you to sign requests to Amazon Managed Streaming for Apache Kafka (MSK) using IAM credentials.

## Table of Contents

- [Installation](installation.md)
- [Usage](usage.md)

## Overview

This package provides an easy-to-use interface for generating the necessary signatures to authenticate with MSK using IAM. The key features include:

- IAM-based authentication
- Easy integration with existing AWS SDKs
- Secure and efficient signing process

Explore the sections above to learn more about how to install and use this package.


# docs/installation.md
This file contains the installation guide for the package. It provides step-by-step instructions on how to install the package, including any prerequisites, dependencies, and configuration steps.

## Advanced Usage
### Configuring with Environment Variables
You can configure the signer using environment variables instead of passing parameters directly:

In [None]:
export AWS_REGION="us-west-2"
export BROKER_HOSTNAME="broker.example.com"
export USER_NAME="IAMUser"


Then initialize the signer without parameters:

In [None]:
signer = Signer()
signature = signer.sign()
print("Generated Signature:", signature)


### Error Handling
The package provides custom error handling. For example, to catch an invalid credentials error:

In [None]:
from aws_msk_iam_sasl_signer import Signer, InvalidCredentialsError

try:
    signer = Signer(aws_region="us-east-1", broker_hostname="broker.example.com", user_name="IAMUser")
    signature = signer.sign()
except InvalidCredentialsError as e:
    print(f"Error: {e.message}")


# .github/bug_report.md
This template is used for reporting bugs. It guides users to provide essential information to help diagnose and fix the issue.

In [None]:
# Bug Report

## Description

Please provide a clear and concise description of the bug you encountered.

## Steps to Reproduce

1. Step one
2. Step two
3. Step three

## Expected Behavior

Describe what you expected to happen.

## Actual Behavior

Describe what actually happened.

## Screenshots

If applicable, add screenshots to help explain the issue.

## Environment

- **Operating System:** (e.g., Windows, macOS, Linux)
- **Python Version:** (e.g., 3.8)
- **Package Version:** (e.g., 1.0.0)

## Additional Context

Add any other context about the problem here.


# .github/feature_request.md
This template is used for requesting new features. It helps users articulate their feature requests clearly.

In [None]:
# Feature Request

## Description

Please provide a clear and concise description of the feature you would like to see.

## Motivation

Explain why this feature is important and how it would benefit users.

## Use Cases

Describe potential use cases for this feature.

## Examples

Provide examples or scenarios where this feature would be useful.

## Additional Context

Add any other context or information related to the feature request.


# .github/workflows/
This directory contains GitHub Actions workflow files that define automated processes for continuous integration, code scanning, and other tasks.

## a. ci.yml
This file defines the continuous integration workflow. It typically includes steps for testing, building, and validating the code.

In [None]:
name: CI

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.9'

      - name: Install dependencies
        run: |
          pip install -r requirements.txt

      - name: Run tests
        run: |
          pytest


## b. codeql-analysis.yml
This file configures GitHub's CodeQL code scanning, which helps identify vulnerabilities and code quality issues in the codebase.

In [None]:
name: "CodeQL"

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up CodeQL
        uses: github/codeql-action/setup-codeql@v2
        with:
          languages: python

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2


# README.md
This file provides an overview of the project and includes instructions for installation, usage, and any other relevant information.

In [None]:
# AWS MSK IAM SASL Signer Python

## Overview

The AWS MSK IAM SASL Signer Python package allows you to authenticate with Amazon Managed Streaming for Apache Kafka (MSK) using IAM credentials. This package simplifies the process of generating and managing IAM-based signatures for MSK.

## Features

- IAM-based authentication for MSK
- Easy integration with AWS SDKs
- Secure signing process

## Installation

To install the package, use pip:

```bash
pip install aws-msk-iam-sasl-signer


# Usage
Here’s a basic example of how to use the Signer class:

In [None]:
from aws_msk_iam_sasl_signer import Signer

# Initialize the signer
signer = Signer(aws_region="us-east-1", broker_hostname="broker.example.com", user_name="IAMUser")

# Generate a signature
signature = signer.sign()

print("Generated Signature:", signature)


#Documentation
For more detailed documentation, visit the documentation directory.

# License
This project is licensed under the MIT License. See the LICENSE file for details.

In [None]:

### 2. `LICENSE`
This file contains the legal terms under which the project is licensed. It details how others can use, modify, and distribute the project.

```text
MIT License

Copyright (c) [year] [Your Name]

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


# setup.py
This script is used to install the package. It defines the package metadata and dependencies.

In [None]:
from setuptools import setup, find_packages

setup(
    name='aws-msk-iam-sasl-signer',
    version='1.0.0',
    description='AWS MSK IAM SASL Signer Python package',
    long_description=open('README.md').read(),
    long_description_content_type='text/markdown',
    author='Your Name',
    author_email='your.email@example.com',
    url='https://github.com/yourusername/aws-msk-iam-sasl-signer-python',
    packages=find_packages(where='src'),
    package_dir={'': 'src'},
    install_requires=[
        'boto3>=1.18.0',
        'requests>=2.25.1'
    ],
    classifiers=[
        'Programming Language :: Python :: 3',
        'License :: OSI Approved :: MIT License',
        'Operating System :: OS Independent',
    ],
    python_requires='>=3.6',
)


In [None]:
#!/usr/bin/env python

#  SPDX-License-Identifier: Apache-2.0

"""The setup script."""

from distutils.core import setup

from setuptools import find_packages

with open("README.rst") as readme_file:
    readme = readme_file.read()

with open("CHANGELOG.rst") as changelog_file:
    history = changelog_file.read()

requirements = ["Click>=7.0", "boto3>=1.26.125", "botocore>=1.29.125"]

test_requirements = [
    "pytest==7.3.1",
    "pytest-cov==4.0.0",
    "coverage==7.2.5",
    "mock==5.0.2",
]

setup(
    author="Amazon Managed Streaming for Apache Kafka",
    python_requires=">=3.8",
    classifiers=[
        "Development Status :: 5 - Production/Stable",
        "Intended Audience :: Developers",
        "License :: OSI Approved :: Apache Software License",
        "Natural Language :: English",
        "Programming Language :: Python :: 3.8",
        "Programming Language :: Python :: 3.9",
        "Programming Language :: Python :: 3.10",
        "Programming Language :: Python :: 3.11",
    ],
    description="Amazon MSK Library in Python for SASL/OAUTHBEARER Auth",
    entry_points={
        "console_scripts": [
            "aws_msk_get_auth_token=aws_msk_iam_sasl_signer.cli:execute",
        ],
    },
    install_requires=requirements,
    license="Apache Software License 2.0",
    long_description_content_type="text/x-rst",
    long_description=readme + "\n\n" + history,
    include_package_data=True,
    keywords="aws-msk-iam-sasl-signer-python",
    name="aws-msk-iam-sasl-signer-python",
    packages=find_packages(exclude=['tests*']),
    test_suite="tests",
    tests_require=test_requirements,
    url="https://github.com/aws/aws-msk-iam-sasl-signer-python",
    version="1.0.1",
    zip_safe=False,
)

# MANIFEST.in

In [None]:
include CONTRIBUTING.rst
include CODE_OF_CONDUCT.rst
include CHANGELOG.rst
include LICENSE
include README.rst
include SUPPORT.rst

recursive-include tests *
recursive-exclude * __pycache__
recursive-exclude * *.py[co]

recursive-include docs *.rst conf.py Makefile make.bat *.jpg *.png *.gif

# Makefile

In [None]:
.PHONY: clean clean-build clean-pyc clean-test coverage dist docs help install lint lint
.DEFAULT_GOAL := help

define BROWSER_PYSCRIPT
import os, webbrowser, sys

from urllib.request import pathname2url

webbrowser.open("file://" + pathname2url(os.path.abspath(sys.argv[1])))
endef
export BROWSER_PYSCRIPT

define PRINT_HELP_PYSCRIPT
import re, sys

for line in sys.stdin:
	match = re.match(r'^([a-zA-Z_-]+):.*?## (.*)$$', line)
	if match:
		target, help = match.groups()
		print("%-20s %s" % (target, help))
endef
export PRINT_HELP_PYSCRIPT

BROWSER := python -c "$$BROWSER_PYSCRIPT"

help:
	@python -c "$$PRINT_HELP_PYSCRIPT" < $(MAKEFILE_LIST)

clean: clean-build clean-pyc clean-test ## remove all build, test, coverage and Python artifacts

clean-build: ## remove build artifacts
	rm -fr build/
	rm -fr dist/
	rm -fr .eggs/
	find . -name '*.egg-info' -exec rm -fr {} +
	find . -name '*.egg' -exec rm -f {} +

clean-pyc: ## remove Python file artifacts
	find . -name '*.pyc' -exec rm -f {} +
	find . -name '*.pyo' -exec rm -f {} +
	find . -name '*~' -exec rm -f {} +
	find . -name '__pycache__' -exec rm -fr {} +

clean-test: ## remove test and coverage artifacts
	rm -fr .tox/
	rm -f .coverage
	rm -fr htmlcov/
	rm -fr .pytest_cache

test: ## run tests quickly with the default Python
	python setup.py test

test-all: ## run tests on every Python version with tox
	tox

coverage: ## check code coverage quickly with the default Python
	coverage run --source aws-msk-iam-sasl-signer-python setup.py test
	coverage report -m
	coverage html
	$(BROWSER) htmlcov/index.html

docs: ## generate Sphinx HTML documentation, including API docs
	rm -f docs/aws-msk-iam-sasl-signer-python.rst
	rm -f docs/modules.rst
	sphinx-apidoc -o docs/ aws-msk-iam-sasl-signer-python
	$(MAKE) -C docs clean
	$(MAKE) -C docs html
	$(BROWSER) docs/_build/html/index.html

servedocs: docs ## compile the docs watching for changes
	watchmedo shell-command -p '*.rst' -c '$(MAKE) -C docs html' -R -D .

release: dist ## package and upload a release
	twine upload dist/*

dist: clean ## builds source and wheel package
	python setup.py sdist
	python setup.py bdist_wheel
	ls -l dist

install: clean ## install the package to the active Python's site-packages
	python setup.py install

# .editorconfig

In [None]:
# http://editorconfig.org

root = true

[*]
indent_style = space
indent_size = 4
trim_trailing_whitespace = true
insert_final_newline = true
charset = utf-8
end_of_line = lf

[*.bat]
indent_style = tab
end_of_line = crlf

[LICENSE]
insert_final_newline = false

[Makefile]
indent_style = tab

# tox.ini

In [None]:
[tox]
envlist = py36, py37, py38

[travis]
python =
    3.8: py38
    3.7: py37
    3.6: py36

basepython = python

[testenv]
setenv =
    PYTHONPATH = {toxinidir}

commands = python setup.py test

# setup.cfg

In [None]:
[bumpversion]
current_version = 1.0.1
commit = True
tag = True

[bumpversion:file:setup.py]
search = version='{current_version}'
replace = version='{new_version}'

[bumpversion:file:aws-msk-iam-sasl-signer-python/__init__.py]
search = __version__ = '{current_version}'
replace = __version__ = '{new_version}'

[bdist_wheel]
universal = 1

[metadata]
description_file = README.rst
license_files = LICENSE

# requirements.txt
This file lists the Python dependencies required by the project. It allows for easy installation of these dependencies.

In [None]:
boto3>=1.18.0
requests>=2.25.1


# requirements-dev.txt

In [None]:
pip==21.1
bump2version==0.5.11
wheel==0.38.1
watchdog==0.9.0
tox==3.14.0
coverage==4.5.4
Sphinx==1.8.5
twine==1.14.0
Click==7.1.2

# .gitignore
This file specifies which files and directories Git should ignore. It typically includes files that are automatically generated or environment-specific files that shouldn’t be tracked.

In [None]:
# Byte-compiled files
*.pyc
*.pyo
__pycache__/

# Virtual environment
venv/
.env/

# Dependency directories
.env/
*.egg-info/
dist/
build/

# IDE configuration files
.vscode/
.idea/


# CODE_OF_CONDUCT.rst

In [None]:
***************
Code of Conduct
***************

This project has adopted the `Amazon Open Source Code of Conduct`_.
For more information see the `Code of Conduct FAQ`_ or contact
opensource-codeofconduct@amazon.com with any additional questions or comments.

.. _Amazon Open Source Code of Conduct: https://aws.github.io/code-of-conduct
.. _Code of Conduct FAQ: https://aws.github.io/code-of-conduct-faq

In [None]:
# README.rst

In [None]:
====================================
aws-msk-iam-sasl-signer-python
====================================
|Version| |Python| |Build| |License| |SecurityScan|

.. |Build| image:: https://github.com/aws/aws-msk-iam-sasl-signer-python/actions/workflows/run-tests.yml/badge.svg?branch=main
    :target: https://github.com/aws/aws-msk-iam-sasl-signer-python/actions/workflows/run-tests.yml
    :alt: Build status
.. |Python| image:: https://img.shields.io/pypi/pyversions/aws-msk-iam-sasl-signer-python.svg?style=flat
    :target: https://pypi.python.org/pypi/aws-msk-iam-sasl-signer-python/
    :alt: Python Versions
.. |Version| image:: http://img.shields.io/pypi/v/aws-msk-iam-sasl-signer-python.svg?style=flat
    :target: https://pypi.python.org/pypi/aws-msk-iam-sasl-signer-python/
    :alt: Package Version
.. |License| image:: http://img.shields.io/pypi/l/aws-msk-iam-sasl-signer-python.svg?style=flat
    :target: https://github.com/aws/aws-msk-iam-sasl-signer-python/blob/main/LICENSE
    :alt: License
.. |SecurityScan| image:: https://github.com/aws/aws-msk-iam-sasl-signer-python/actions/workflows/securityscan.yml/badge.svg?branch=main
    :target: https://github.com/aws/aws-msk-iam-sasl-signer-python/actions/workflows/securityscan.yml
    :alt: Security Scan


This is an Amazon MSK Library in Python. This library provides a function to generates a base 64 encoded signed url
to enable authentication/authorization with an MSK Cluster.
The signed url is generated by using your IAM credentials.


* Free software: Apache Software License 2.0

Features
--------

* Provides a function to generate auth token using IAM credentials from the AWS default credentials chain.
* Provides a function to generate auth token using IAM credentials from the AWS named profile.
* Provides a function to generate auth token using assumed IAM role's credentials.
* Provides a function to generate auth token using a CredentialProvider. The CredentialProvider should be inherited from botocore.credentials.CredentialProvider class.


Get Started
-----------

* For installation, refer to `installation guide`_

* In order to use the signer library with a Kafka client library with SASL/OAUTHBEARER mechanism, add the callback function in your code.

* For example, here is the sample code to use with `dpkp/kafka-python`_ library:

.. code-block:: python

    from kafka import KafkaProducer
    from kafka.errors import KafkaError
    import socket
    import time
    from aws_msk_iam_sasl_signer import MSKAuthTokenProvider

    class MSKTokenProvider():
        def token(self):
            token, _ = MSKAuthTokenProvider.generate_auth_token('<my aws region>')
            return token

    tp = MSKTokenProvider()

    producer = KafkaProducer(
        bootstrap_servers='<my bootstrap string>',
        security_protocol='SASL_SSL',
        sasl_mechanism='OAUTHBEARER',
        sasl_oauth_token_provider=tp,
        client_id=socket.gethostname(),
    )

    topic = "<my-topic>"
    while True:
        try:
            inp=input(">")
            producer.send(topic, inp.encode())
            producer.flush()
            print("Produced!")
        except Exception:
            print("Failed to send message:", e)

    producer.close()

* Here is a sample consumer with `confluent-kafka-python`_ library :

.. code-block:: python

    from confluent_kafka import Consumer
    import socket
    import time
    from aws_msk_iam_sasl_signer import MSKAuthTokenProvider

    def oauth_cb(oauth_config):
        auth_token, expiry_ms = MSKAuthTokenProvider.generate_auth_token("<my aws region>")
        # Note that this library expects oauth_cb to return expiry time in seconds since epoch, while the token generator returns expiry in ms
        return auth_token, expiry_ms/1000

    c = Consumer({
        "debug": "all",
        'bootstrap.servers': "<my bootstrap string>",
        'client.id': socket.gethostname(),
        'security.protocol': 'SASL_SSL',
        'sasl.mechanisms': 'OAUTHBEARER',
        'oauth_cb': oauth_cb,
        'group.id': 'mygroup',
        'auto.offset.reset': 'earliest'
    })

    c.subscribe(['<my-topic>'])

    print("Starting consumer!")

    while True:
        msg = c.poll(5)

        if msg is None:
            continue
        if msg.error():
            print("Consumer error: {}".format(msg.error()))
            continue
        print('Received message: {}'.format(msg.value().decode('utf-8')))

    c.close()

* In order to use a named profile to generate token, replace the token() function with code below :

.. code-block:: python

    class MSKTokenProvider():
        def token(self):
            oauth2_token, _ = MSKAuthTokenProvider.generate_auth_token_from_profile('<your aws region>', '<named_profile>')
            return oauth2_token

* In order to use a role arn to generate token, replace the token() function with code below :

.. code-block:: python

    class MSKTokenProvider():
        def token(self):
            oauth2_token, _ = MSKAuthTokenProvider.generate_auth_token_from_role_arn('<your aws region>', '<role_arn>')
            return oauth2_token


* In order to use a custom credentials provider, replace the token() function with code below :

.. code-block:: python

    class MSKTokenProvider():
        def token(self):
            oauth2_token, _ = MSKAuthTokenProvider.generate_auth_token_from_credentials_provider('<your aws region>', '<your_credentials_provider')
            return oauth2_token


Running Tests
~~~~~~~~~~~~~
You can run tests in all supported Python versions using ``pytest``. By default,
it will run all of the unit tests.

.. code-block:: sh

    $ pytest

You can also run tests with setup.py:

.. code-block:: sh

    $ python setup.py test

To fix lint issues, run the pre-commit command:

.. code-block:: sh

    $ pre-commit run --all-files

To run tests with coverage information, run:

.. code-block:: sh

    $ coverage run --source=aws_msk_iam_sasl_signer.MSKAuthTokenProvider -m pytest tests/test_auth_token_provider.py
    $ coverage report -m


Troubleshooting
---------------
Finding out which identity is being used
----------------------------------------
You may receive an Access denied error and there may be some doubt as to which credential is being exactly used. The credential may be sourced from a role ARN, EC2 instance profile, credential profile etc.
When calling generate_auth_token(), you can set aws_debug_creds argument to True along with client side logging set to DEBUG then the signer library will print a debug log of the form:

.. code-block:: python

    MSKAuthTokenProvider.generate_auth_token('<my aws region>', aws_debug_creds = True)


.. code-block:: sh

    Credentials Identity: {UserId: ABCD:test124, Account: 1234567890, Arn: arn:aws:sts::1234567890:assumed-role/abc/test124}


The log line provides the IAM Account, IAM user id and the ARN of the IAM Principal corresponding to the credential being used.

Getting Help
------------

Please use these community resources for getting help. We use the GitHub issues
for tracking bugs and feature requests.

* Ask a `question <https://github.com/aws/aws-msk-iam-sasl-signer-python/discussions/new?category=q-a>`__ or open a `discussion <https://github.com/aws/aws-msk-iam-sasl-signer-python/discussions/new?category=general>`__.
* If you think you may have found a bug, please open an `issue <https://github.com/aws/aws-msk-iam-sasl-signer-python/issues/new/choose>`__.
* Open a support case with `AWS Support <http://docs.aws.amazon.com/awssupport/latest/user/getting-started.html>`__.

This repository provides a pluggable library with any Python Kafka client for SASL/OAUTHBEARER mechanism. For more information about SASL/OAUTHBEARER mechanism please go to `KIP 255 <https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75968876>`__.

Opening Issues
--------------

If you encounter a bug with the AWS MSK IAM SASL Signer for Python, we would like to hear about it.
Search the `Issues <https://github.com/aws/aws-msk-iam-sasl-signer-python/issues>`__ and see
if others are also experiencing the same issue before opening a new issue. Please
include the version of AWS MSK IAM SASL Signer for Python, Python, and OS you’re using. Please
also include reproduction case when appropriate.

The GitHub issues are intended for bug reports and feature requests. For help
and questions with using AWS MSK IAM SASL Signer for Python, please make use of the resources listed
in the Getting Help section.
Keeping the list of open issues lean will help us respond in a timely manner.

Contributing
------------

We value feedback and contributions from our community. Whether it's a bug report, new feature, correction, or additional documentation, we welcome your issues and pull requests. Please read through this `CONTRIBUTING <https://github.com/aws/aws-msk-iam-sasl-signer-python/blob/main/CONTRIBUTING.rst>`__ document before submitting any issues or pull requests to ensure we have all the necessary information to effectively respond to your contribution.

More Resources
--------------

* `NOTICE <https://github.com/aws/aws-msk-iam-sasl-signer-python/blob/main/NOTICE>`__
* `Changelog <https://github.com/aws/aws-msk-iam-sasl-signer-python/blob/main/CHANGELOG.rst>`__
* `License <https://github.com/aws/aws-msk-iam-sasl-signer-python/blob/main/LICENSE>`__
* `MSK Documentation <https://docs.aws.amazon.com/msk/latest/developerguide/getting-started.html>`__
* `Issues <https://github.com/aws/aws-msk-iam-sasl-signer-python/issues>`__

Credits
-------

This package was created with Cookiecutter_ and the `audreyr/cookiecutter-pypackage`_ project template.

.. _Cookiecutter: https://github.com/audreyr/cookiecutter
.. _`audreyr/cookiecutter-pypackage`: https://github.com/audreyr/cookiecutter-pypackage
.. _`dpkp/kafka-python`: https://github.com/dpkp/kafka-python
.. _`installation guide`: https://github.com/aws/aws-msk-iam-sasl-signer-python/blob/main/docs/installation.rst
.. _`confluent-kafka-python`: https://github.com/confluentinc/confluent-kafka-python