You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a usecase where the code is running with Lambda credentials. To authenticate with Kafka, the code requires to assume a role that has an externalId.
Since we want to limit access to those who can assume the role, we limit assume role to a user's IAM user.
So the lambda code retrieves the user's IAM credentials (aws accessKey + aws secretKey) and passes these credentials and the role with externalId and the externalId in the jaas config. This gives an error since the code doesn't seem to set the externalId when aws credentials and role is specified.
If we remove the externalId condition from the role policy, this starts working.
I have made a private fix where I have modified the MSKCredentialProvider.java to include the externalId. I am attaching a diff screenshot on the fix that I have made. Can you see if this fix needs to be done for mainline?
Here is the example jaas config that my java code is using:
Folks,
I have a usecase where the code is running with Lambda credentials. To authenticate with Kafka, the code requires to assume a role that has an externalId.
Since we want to limit access to those who can assume the role, we limit assume role to a user's IAM user.
So the lambda code retrieves the user's IAM credentials (aws accessKey + aws secretKey) and passes these credentials and the role with externalId and the externalId in the jaas config. This gives an error since the code doesn't seem to set the externalId when aws credentials and role is specified.
If we remove the externalId condition from the role policy, this starts working.
I have made a private fix where I have modified the MSKCredentialProvider.java to include the externalId. I am attaching a diff screenshot on the fix that I have made. Can you see if this fix needs to be done for mainline?
Here is the example jaas config that my java code is using:
"software.amazon.msk.auth.iam.IAMLoginModule required awsRoleArn=\"" + accessGrantRoleArn + "\" awsRoleAccessKeyId=\"" + iamUserAccessKey + "\" awsRoleSecretAccessKey=\"" + iamUserSecretKey + "\" awsRoleExternalId=\"" + accessGrantExternalId + "\" awsRoleSessionName=\"" + producerSessionName + "\" awsStsRegion=\"" + regions.getName() + "\";"
Thanks and Best Regards,
#Let's Data
The text was updated successfully, but these errors were encountered: