To enable clients to communicate with an MSK cluster that uses IAM access control, you can use either of these mechanisms:
-
Non-Java client configuration using SASL_OAUTHBEARER mechanism
-
Java client configuration using SASL_OAUTHBEARER mechanism or AWS_MSK_IAM mechanism
Use the SASL_OAUTHBEARER mechanism to configure IAM
Edit your client.properties configuration file using the highlighted syntax in the example Python Kafka client below as a guide. Configuration changes are similar in other languages.
#!/usr/bin/python3from kafka import KafkaProducer from kafka.errors import KafkaError import socket import time from aws_msk_iam_sasl_signer import MSKAuthTokenProvider class MSKTokenProvider(): def token(self): token, _ = MSKAuthTokenProvider.generate_auth_token('<my aws region>') return token tp = MSKTokenProvider() producer = KafkaProducer( bootstrap_servers='<my bootstrap string>', security_protocol='SASL_SSL', sasl_mechanism='OAUTHBEARER', sasl_oauth_token_provider=tp, client_id=socket.gethostname(), ) topic = "<my-topic>" while True: try: inp=input(">") producer.send(topic, inp.encode()) producer.flush() print("Produced!") except Exception: print("Failed to send message:", e) producer.close()
Download the helper library for your chosen configuration language and follow the instructions in the Getting started section on that language library’s homepage.
JavaScript: https://github.com/aws/aws-msk-iam-sasl-signer-js#getting-started
Python: https://github.com/aws/aws-msk-iam-sasl-signer-python#get-started
Go: https://github.com/aws/aws-msk-iam-sasl-signer-go#getting-started
.NET: https://github.com/aws/aws-msk-iam-sasl-signer-net#getting-started
JAVA: SASL_OAUTHBEARER support for Java is available through the
aws-msk-iam-auth
jar file
Use the MSK custom AWS_MSK_IAM mechanism to configure IAM
Add the following to the
client.properties
file. Replace<PATH_TO_TRUST_STORE_FILE>
with the fully-qualified path to the trust store file on the client.Note
If you don't want to use a specific certificate, you can remove
ssl.truststore.location=
from your<PATH_TO_TRUST_STORE_FILE>
client.properties
file. When you don't specify a value forssl.truststore.location
, the Java process uses the default certificate.ssl.truststore.location=
<PATH_TO_TRUST_STORE_FILE>
security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required; sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandlerTo use a named profile that you created for AWS credentials, include
awsProfileName="
in your client configuration file. For information about named profiles, see Named profiles in the AWS CLI documentation.your profile name
";Download the latest stable aws-msk-iam-auth
JAR file, and place it in the class path. If you use Maven, add the following dependency, adjusting the version number as needed: <dependency> <groupId>software.amazon.msk</groupId> <artifactId>aws-msk-iam-auth</artifactId> <version>1.0.0</version> </dependency>
The Amazon MSK client plugin is open-sourced under the Apache 2.0 license.