Document AWS_MSK_IAM

Author: everesio

README.md

@@ -187,9 +187,11 @@ You can launch a kafka-proxy container with auth-ldap plugin for trying it out w
             --proxy-listener-write-buffer-size int                 Sets the size of the operating system's transmit buffer associated with the connection. If zero, system default is used
             --proxy-request-buffer-size int                        Request buffer size pro tcp connection (default 4096)
             --proxy-response-buffer-size int                       Response buffer size pro tcp connection (default 4096)
+            --sasl-aws-profile string                              AWS profile
+            --sasl-aws-region string                               Region for AWS IAM Auth
             --sasl-enable                                          Connect using SASL
             --sasl-jaas-config-file string                         Location of JAAS config file with SASL username and password
-            --sasl-method string                                   SASL method to use (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, GSSAPI (default "PLAIN")
+            --sasl-method string                                   SASL method to use (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, GSSAPI, AWS_MSK_IAM (default "PLAIN")
             --sasl-password string                                 SASL user password
             --sasl-plugin-command string                           Path to authentication plugin binary
             --sasl-plugin-enable                                   Use plugin for SASL authentication
@@ -279,6 +281,17 @@ GSSAPI / Kerberos authentication
                        --gssapi-krb5 /etc/krb5.conf \
                        --gssapi-keytab /etc/security/keytabs/kafka.keytab
 
+AWS MSK IAM
+
+    kafka-proxy server --bootstrap-server-mapping "b-1-public.kafkaproxycluster.uls9ao.c4.kafka.eu-central-1.amazonaws.com:9198,0.0.0.0:30001" \
+                       --bootstrap-server-mapping "b-2-public.kafkaproxycluster.uls9ao.c4.kafka.eu-central-1.amazonaws.com:9198,0.0.0.0:30002" \
+                       --bootstrap-server-mapping "b-3-public.kafkaproxycluster.uls9ao.c4.kafka.eu-central-1.amazonaws.com:9198,0.0.0.0:30003" \
+                       --tls-enable --tls-insecure-skip-verify \
+                       --sasl-enable \
+                       --sasl-method "AWS_MSK_IAM" \
+                       --sasl-aws-region "eu-central-1" \
+                       --log-level debug
+
 
 ### Proxy authentication example
 

cmd/kafka-proxy/server.go

@@ -164,7 +164,7 @@ func initFlags() {
 	Server.Flags().StringVar(&c.Kafka.SASL.Username, "sasl-username", "", "SASL user name")
 	Server.Flags().StringVar(&c.Kafka.SASL.Password, "sasl-password", "", "SASL user password")
 	Server.Flags().StringVar(&c.Kafka.SASL.JaasConfigFile, "sasl-jaas-config-file", "", "Location of JAAS config file with SASL username and password")
-	Server.Flags().StringVar(&c.Kafka.SASL.Method, "sasl-method", "PLAIN", "SASL method to use (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, GSSAPI")
+	Server.Flags().StringVar(&c.Kafka.SASL.Method, "sasl-method", "PLAIN", "SASL method to use (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, GSSAPI, AWS_MSK_IAM")
 
 	// SASL GSSAPI
 	Server.Flags().StringVar(&c.Kafka.SASL.GSSAPI.AuthType, "gssapi-auth-type", config.KRB5_KEYTAB_AUTH, "GSSAPI auth type: KEYTAB or USER")
@@ -177,6 +177,10 @@ func initFlags() {
 	Server.Flags().BoolVar(&c.Kafka.SASL.GSSAPI.DisablePAFXFAST, "gssapi-disable-pa-fx-fast", false, "Used to configure the client to not use PA_FX_FAST.")
 	Server.Flags().StringToStringVar(&c.Kafka.SASL.GSSAPI.SPNHostsMapping, "gssapi-spn-host-mapping", map[string]string{}, "Mapping of Kafka servers address to SPN hosts")
 
+	// SASL AWS_MSK_IAM
+	Server.Flags().StringVar(&c.Kafka.SASL.AWSConfig.Region, "sasl-aws-region", "", "Region for AWS IAM Auth")
+	Server.Flags().StringVar(&c.Kafka.SASL.AWSConfig.Profile, "sasl-aws-profile", "", "AWS profile")
+
 	// SASL by Proxy plugin
 	Server.Flags().BoolVar(&c.Kafka.SASL.Plugin.Enable, "sasl-plugin-enable", false, "Use plugin for SASL authentication")
 	Server.Flags().StringVar(&c.Kafka.SASL.Plugin.Command, "sasl-plugin-command", "", "Path to authentication plugin binary")
@@ -185,8 +189,6 @@ func initFlags() {
 	Server.Flags().StringVar(&c.Kafka.SASL.Plugin.LogLevel, "sasl-plugin-log-level", "trace", "Log level of the auth plugin")
 	Server.Flags().DurationVar(&c.Kafka.SASL.Plugin.Timeout, "sasl-plugin-timeout", 10*time.Second, "Authentication timeout")
 
-	Server.Flags().StringVar(&c.Kafka.SASL.AWSRegion, "sasl-iam-region", "", "Region for AWS IAM Auth")
-
 	// Web
 	Server.Flags().BoolVar(&c.Http.Disable, "http-disable", false, "Disable HTTP endpoints")
 	Server.Flags().StringVar(&c.Http.ListenAddress, "http-listen-address", "0.0.0.0:9080", "Address that kafka-proxy is listening on")

config/config.go

@@ -46,6 +46,11 @@ type GSSAPIConfig struct {
 	SPNHostsMapping    map[string]string
 }
 
+type AWSConfig struct {
+	Region  string
+	Profile string
+}
+
 type Config struct {
 	Http struct {
 		ListenAddress string
@@ -161,7 +166,7 @@ type Config struct {
 				Timeout    time.Duration
 			}
 			GSSAPI    GSSAPIConfig
-			AWSRegion string
+			AWSConfig AWSConfig
 		}
 		Producer struct {
 			Acks0Disabled bool

proxy/client.go

@@ -124,15 +124,13 @@ func NewClient(conns *ConnSet, c *config.Config, netAddressMappingFunc config.Ne
 				gssapiConfig: &c.Kafka.SASL.GSSAPI,
 			}
 		} else if c.Kafka.SASL.Method == SASLIAMAAUTH {
-			if awsMSKIAMAUTH, err := NewAwsMSKIamAuth(
+			if saslAuthByProxy, err = NewAwsMSKIamAuth(
 				c.Kafka.ClientID,
-				c.Kafka.SASL.AWSRegion,
 				c.Kafka.ReadTimeout,
 				c.Kafka.WriteTimeout,
+				&c.Kafka.SASL.AWSConfig,
 			); err != nil {
-				return nil, fmt.Errorf("Failed to create IAM Auth: %v", err)
-			} else {
-				saslAuthByProxy = awsMSKIAMAUTH
+				return nil, errors.Errorf("Failed to create IAM Auth: %v", err)
 			}
 		} else {
 			return nil, errors.Errorf("SASL Mechanism not valid '%s'", c.Kafka.SASL.Method)

proxy/sasl_aws_msk_iam.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/config"
+	proxyconfig "github.com/grepplabs/kafka-proxy/config"
 	"github.com/grepplabs/kafka-proxy/proxy/protocol"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -28,15 +29,18 @@ type AwsMSKIamAuth struct {
 
 func NewAwsMSKIamAuth(
 	clientId string,
-	region string,
 	readTimeout,
 	writeTimeout time.Duration,
+	awsConfig *proxyconfig.AWSConfig,
 ) (SASLAuthByProxy, error) {
 	var optFns []func(*config.LoadOptions) error
-	if region != "" {
-		optFns = append(optFns, config.WithRegion(region))
+	if awsConfig.Region != "" {
+		optFns = append(optFns, config.WithRegion(awsConfig.Region))
 	}
-	cfg, err := config.LoadDefaultConfig(context.TODO(), optFns...)
+	if awsConfig.Profile != "" {
+		optFns = append(optFns, config.WithSharedConfigProfile(awsConfig.Profile))
+	}
+	cfg, err := config.LoadDefaultConfig(context.Background(), optFns...)
 	if err != nil {
 		return nil, fmt.Errorf("loading aws config: %v", err)
 	}
@@ -98,7 +102,7 @@ func (a *AwsMSKIamAuth) saslAuthenticate(conn DeadlineReaderWriter, brokerString
 		return fmt.Errorf("failed to parse host/port: %v", err)
 	}
 
-	authBytes, err := a.signer.SASLToken(context.TODO(), host)
+	authBytes, err := a.signer.SASLToken(context.Background(), host)
 	if err != nil {
 		return fmt.Errorf("failed to generate SASL token %v", err)
 	}

proxy/sasl_scram.go

@@ -174,7 +174,7 @@ func (b *SASLSCRAMAuth) sendAndReceiveSASLHandshake(conn DeadlineReaderWriter) e
 
 func (b *SASLSCRAMAuth) sendSaslAuthenticateRequest(conn DeadlineReaderWriter, correlationID int32, msg []byte) (int, error) {
 	//	rb := &SaslAuthenticateRequest{msg}
-	rb := &protocol.SaslAuthenticateRequestV0{msg}
+	rb := &protocol.SaslAuthenticateRequestV0{SaslAuthBytes: msg}
 	//req := &request{correlationID: correlationID, clientID: b.conf.ClientID, body: rb}
 	req := &protocol.Request{CorrelationID: correlationID, ClientID: b.clientID, Body: rb}
 	//buf, err := encode(req, b.conf.MetricRegistry)