aws-msk-iam-auth doesnt work for roles that have externalId and an awsAccessKey/awsSecretKey is provided to assume the role.

[lets-data]

Folks,

I have a usecase where the code is running with Lambda credentials. To authenticate with Kafka, the code requires to assume a role that has an externalId.
Since we want to limit access to those who can assume the role, we limit assume role to a user's IAM user.
So the lambda code retrieves the user's IAM credentials (aws accessKey + aws secretKey) and passes these credentials and the role with externalId and the externalId in the jaas config. This gives an error since the code doesn't seem to set the externalId when aws credentials and role is specified.
If we remove the externalId condition from the role policy, this starts working.

I have made a private fix where I have modified the MSKCredentialProvider.java to include the externalId. I am attaching a diff screenshot on the fix that I have made. Can you see if this fix needs to be done for mainline?

Here is the example jaas config that my java code is using:

"software.amazon.msk.auth.iam.IAMLoginModule required awsRoleArn=\"" + accessGrantRoleArn + "\" awsRoleAccessKeyId=\"" + iamUserAccessKey + "\" awsRoleSecretAccessKey=\"" + iamUserSecretKey + "\" awsRoleExternalId=\"" + accessGrantExternalId + "\" awsRoleSessionName=\"" + producerSessionName + "\" awsStsRegion=\"" + regions.getName() + "\";"

Thanks and Best Regards,

#Let's Data