Support STS AssumeRole for cross-account IAM authentication (PostgreSQL / MySQL) #1771
Description
Hello
Feature request or enhancement
For feature requests or enhancements, please provide the following information:
Which use case/requirement will be addressed by the proposed feature?
I'm running Kafka Connect (MSK Connect) in AWS account A and need to capture changes from RDS PostgreSQL databases in AWS account B using IAM authentication (database.authmode = aws-iam).
The connector generates the RDS IAM auth token using the credentials available to the process (the MSK Connect execution role in account A). RDS in account B rejects this token because the principal isn't in the same account.
The standard AWS pattern here is to assume a role in account B via STS AssumeRole, then generate the token with those temporary credentials. The AWS Advanced JDBC Wrapper supports this through StsAssumeRoleCredentialsProvider (see aws/aws-advanced-jdbc-wrapper#1239), but it requires programmatic configuration. I couldn't find a way to pass a role ARN through Debezium connector properties.
A property like database.iam.role.arn that tells the connection factory to assume a given role before generating the IAM auth token would make cross-account CDC possible without falling back to static credentials.
I might have missed an existing way to do this though, happy to be corrected
Have a good day !
Implementation ideas (optional)
<Your answer>