Skip to content

Commit 0c00331

Browse files
myronjhicksmyronjhicks
committed
Amazon MSK IAM authentication
1 parent 4bbbb3a commit 0c00331

File tree

5 files changed

+113
-21
lines changed

5 files changed

+113
-21
lines changed

docs/config.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,10 @@ ACHGateway:
158158
[ TLS: <boolean> | default = false ]
159159
[ AutoCommit: <boolean> | default = false ]
160160
[ SASLMechanism: <string> | default = "PLAIN" ]
161+
[ AWSRegion: <string> | default = "" ]
162+
[ AWSProfile: <string> | default = "" ]
163+
[ AWSRoleARN: <string> | default = "" ]
164+
[ AWSSessionName: <string> | default = "" ]
161165
Webhook:
162166
[ Endpoint: <string> | default = "" ]
163167
```

go.mod

Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -63,26 +63,27 @@ require (
6363
github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
6464
github.com/Microsoft/go-winio v0.6.1 // indirect
6565
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
66+
github.com/aws/aws-msk-iam-sasl-signer-go v1.0.1
6667
github.com/aws/aws-sdk-go v1.49.6 // indirect
67-
github.com/aws/aws-sdk-go-v2 v1.20.0 // indirect
68+
github.com/aws/aws-sdk-go-v2 v1.32.4 // indirect
6869
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.11 // indirect
69-
github.com/aws/aws-sdk-go-v2/config v1.18.32 // indirect
70-
github.com/aws/aws-sdk-go-v2/credentials v1.13.31 // indirect
71-
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.7 // indirect
70+
github.com/aws/aws-sdk-go-v2/config v1.28.2 // indirect
71+
github.com/aws/aws-sdk-go-v2/credentials v1.17.43 // indirect
72+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 // indirect
7273
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.76 // indirect
73-
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.37 // indirect
74-
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.31 // indirect
75-
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.38 // indirect
74+
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 // indirect
75+
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 // indirect
76+
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
7677
github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0 // indirect
77-
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.12 // indirect
78+
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
7879
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.32 // indirect
79-
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.31 // indirect
80+
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 // indirect
8081
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.0 // indirect
8182
github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1 // indirect
82-
github.com/aws/aws-sdk-go-v2/service/sso v1.13.1 // indirect
83-
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.1 // indirect
84-
github.com/aws/aws-sdk-go-v2/service/sts v1.21.1 // indirect
85-
github.com/aws/smithy-go v1.14.0 // indirect
83+
github.com/aws/aws-sdk-go-v2/service/sso v1.24.4 // indirect
84+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 // indirect
85+
github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 // indirect
86+
github.com/aws/smithy-go v1.22.0 // indirect
8687
github.com/beorn7/perks v1.0.1 // indirect
8788
github.com/cenkalti/backoff/v3 v3.0.0 // indirect
8889
github.com/cenkalti/backoff/v4 v4.2.1 // indirect

go.sum

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,46 +49,74 @@ github.com/Shopify/toxiproxy/v2 v2.5.0/go.mod h1:yhM2epWtAmel9CB8r2+L+PCmhH6yH2p
4949
github.com/VividCortex/gohistogram v1.0.0 h1:6+hBz+qvs0JOrrNhhmR7lFxo5sINxBCGXrdtl/UvroE=
5050
github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g=
5151
github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
52+
github.com/aws/aws-msk-iam-sasl-signer-go v1.0.1 h1:nMp7diZObd4XEVUR0pEvn7/E13JIgManMX79Q6quV6E=
53+
github.com/aws/aws-msk-iam-sasl-signer-go v1.0.1/go.mod h1:MVYeeOhILFFemC/XlYTClvBjYZrg/EPd3ts885KrNTI=
5254
github.com/aws/aws-sdk-go v1.49.6 h1:yNldzF5kzLBRvKlKz1S0bkvc2+04R1kt13KfBWQBfFA=
5355
github.com/aws/aws-sdk-go v1.49.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
5456
github.com/aws/aws-sdk-go-v2 v1.20.0 h1:INUDpYLt4oiPOJl0XwZDK2OVAVf0Rzo+MGVTv9f+gy8=
5557
github.com/aws/aws-sdk-go-v2 v1.20.0/go.mod h1:uWOr0m0jDsiWw8nnXiqZ+YG6LdvAlGYDLLf2NmHZoy4=
58+
github.com/aws/aws-sdk-go-v2 v1.32.4 h1:S13INUiTxgrPueTmrm5DZ+MiAo99zYzHEFh1UNkOxNE=
59+
github.com/aws/aws-sdk-go-v2 v1.32.4/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
5660
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.11 h1:/MS8AzqYNAhhRNalOmxUvYs8VEbNGifTnzhPFdcRQkQ=
5761
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.11/go.mod h1:va22++AdXht4ccO3kH2SHkHHYvZ2G9Utz+CXKmm2CaU=
5862
github.com/aws/aws-sdk-go-v2/config v1.18.32 h1:tqEOvkbTxwEV7hToRcJ1xZRjcATqwDVsWbAscgRKyNI=
5963
github.com/aws/aws-sdk-go-v2/config v1.18.32/go.mod h1:U3ZF0fQRRA4gnbn9GGvOWLoT2EzzZfAWeKwnVrm1rDc=
64+
github.com/aws/aws-sdk-go-v2/config v1.28.2 h1:FLvWA97elBiSPdIol4CXfIAY1wlq3KzoSgkMuZSuSe8=
65+
github.com/aws/aws-sdk-go-v2/config v1.28.2/go.mod h1:hNmQsKfUqpKz2yfnZUB60GCemPmeqAalVTui0gOxjAE=
6066
github.com/aws/aws-sdk-go-v2/credentials v1.13.31 h1:vJyON3lG7R8VOErpJJBclBADiWTwzcwdkQpTKx8D2sk=
6167
github.com/aws/aws-sdk-go-v2/credentials v1.13.31/go.mod h1:T4sESjBtY2lNxLgkIASmeP57b5j7hTQqCbqG0tWnxC4=
68+
github.com/aws/aws-sdk-go-v2/credentials v1.17.43 h1:SEGdVOOE1Wyr2XFKQopQ5GYjym3nYHcphesdt78rNkY=
69+
github.com/aws/aws-sdk-go-v2/credentials v1.17.43/go.mod h1:3aiza5kSyAE4eujSanOkSkAmX/RnVqslM+GRQ/Xvv4c=
6270
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.7 h1:X3H6+SU21x+76LRglk21dFRgMTJMa5QcpW+SqUf5BBg=
6371
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.7/go.mod h1:3we0V09SwcJBzNlnyovrR2wWJhWmVdqAsmVs4uronv8=
72+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 h1:woXadbf0c7enQ2UGCi8gW/WuKmE0xIzxBF/eD94jMKQ=
73+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19/go.mod h1:zminj5ucw7w0r65bP6nhyOd3xL6veAUMc3ElGMoLVb4=
6474
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.76 h1:DJ1kHj0GI9BbX+XhF0kHxlzOVjcncmDUXmCvXdbfdAE=
6575
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.76/go.mod h1:/AZCdswMSgwpB2yMSFfY5H4pVeBLnCuPehdmO/r3xSM=
6676
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.37 h1:zr/gxAZkMcvP71ZhQOcvdm8ReLjFgIXnIn0fw5AM7mo=
6777
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.37/go.mod h1:Pdn4j43v49Kk6+82spO3Tu5gSeQXRsxo56ePPQAvFiA=
78+
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 h1:A2w6m6Tmr+BNXjDsr7M90zkWjsu4JXHwrzPg235STs4=
79+
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23/go.mod h1:35EVp9wyeANdujZruvHiQUAo9E3vbhnIO1mTCAxMlY0=
6880
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.31 h1:0HCMIkAkVY9KMgueD8tf4bRTUanzEYvhw7KkPXIMpO0=
6981
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.31/go.mod h1:fTJDMe8LOFYtqiFFFeHA+SVMAwqLhoq0kcInYoLa9Js=
82+
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 h1:pgYW9FCabt2M25MoHYCfMrVY2ghiiBKYWUVXfwZs+sU=
83+
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23/go.mod h1:c48kLgzO19wAu3CPkDWC28JbaJ+hfQlsdl7I2+oqIbk=
7084
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.38 h1:+i1DOFrW3YZ3apE45tCal9+aDKK6kNEbW6Ib7e1nFxE=
7185
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.38/go.mod h1:1/jLp0OgOaWIetycOmycW+vYTYgTZFPttJQRgsI1PoU=
86+
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
87+
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
7288
github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0 h1:U5yySdwt2HPo/pnQec04DImLzWORbeWML1fJiLkKruI=
7389
github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0/go.mod h1:EhC/83j8/hL/UB1WmExo3gkElaja/KlmZM/gl1rTfjM=
7490
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.12 h1:uAiiHnWihGP2rVp64fHwzLDrswGjEjsPszwRYMiYQPU=
7591
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.12/go.mod h1:fUTHpOXqRQpXvEpDPSa3zxCc2fnpW6YnBoba+eQr+Bg=
92+
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g=
93+
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ=
7694
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.32 h1:kvN1jPHr9UffqqG3bSgZ8tx4+1zKVHz/Ktw/BwW6hX8=
7795
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.32/go.mod h1:QmMEM7es84EUkbYWcpnkx8i5EW2uERPfrTFeOch128Y=
7896
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.31 h1:auGDJ0aLZahF5SPvkJ6WcUuX7iQ7kyl2MamV7Tm8QBk=
7997
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.31/go.mod h1:3+lloe3sZuBQw1aBc5MyndvodzQlyqCZ7x1QPDHaWP4=
98+
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 h1:tHxQi/XHPK0ctd/wdOw0t7Xrc2OxcRCnVzv8lwWPu0c=
99+
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4/go.mod h1:4GQbF1vJzG60poZqWatZlhP31y8PGCCVTvIGPdaaYJ0=
80100
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.0 h1:Wgjft9X4W5pMeuqgPCHIQtbZ87wsgom7S5F8obreg+c=
81101
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.0/go.mod h1:FWNzS4+zcWAP05IF7TDYTY1ysZAzIvogxWaDT9p8fsA=
82102
github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1 h1:mTgFVlfQT8gikc5+/HwD8UL9jnUro5MGv8n/VEYF12I=
83103
github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1/go.mod h1:6SOWLiobcZZshbmECRTADIRYliPL0etqFSigauQEeT0=
84104
github.com/aws/aws-sdk-go-v2/service/sso v1.13.1 h1:DSNpSbfEgFXRV+IfEcKE5kTbqxm+MeF5WgyeRlsLnHY=
85105
github.com/aws/aws-sdk-go-v2/service/sso v1.13.1/go.mod h1:TC9BubuFMVScIU+TLKamO6VZiYTkYoEHqlSQwAe2omw=
106+
github.com/aws/aws-sdk-go-v2/service/sso v1.24.4 h1:BqE3NRG6bsODh++VMKMsDmFuJTHrdD4rJZqHjDeF6XI=
107+
github.com/aws/aws-sdk-go-v2/service/sso v1.24.4/go.mod h1:wrMCEwjFPms+V86TCQQeOxQF/If4vT44FGIOFiMC2ck=
86108
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.1 h1:hd0SKLMdOL/Sl6Z0np1PX9LeH2gqNtBe0MhTedA8MGI=
87109
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.1/go.mod h1:XO/VcyoQ8nKyKfFW/3DMsRQXsfh/052tHTWmg3xBXRg=
110+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 h1:zcx9LiGWZ6i6pjdcoE9oXAB6mUdeyC36Ia/QEiIvYdg=
111+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4/go.mod h1:Tp/ly1cTjRLGBBmNccFumbZ8oqpZlpdhFf80SrRh4is=
88112
github.com/aws/aws-sdk-go-v2/service/sts v1.21.1 h1:pAOJj+80tC8sPVgSDHzMYD6KLWsaLQ1kZw31PTeORbs=
89113
github.com/aws/aws-sdk-go-v2/service/sts v1.21.1/go.mod h1:G8SbvL0rFk4WOJroU8tKBczhsbhj2p/YY7qeJezJ3CI=
114+
github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 h1:yDxvkz3/uOKfxnv8YhzOi9m+2OGIxF+on3KOISbK5IU=
115+
github.com/aws/aws-sdk-go-v2/service/sts v1.32.4/go.mod h1:9XEUty5v5UAsMiFOBJrNibZgwCeOma73jgGwwhgffa8=
90116
github.com/aws/smithy-go v1.14.0 h1:+X90sB94fizKjDmwb4vyl2cTTPXTE5E2G/1mjByb0io=
91117
github.com/aws/smithy-go v1.14.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
118+
github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM=
119+
github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
92120
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
93121
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
94122
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=

internal/kafka/kafka.go

Lines changed: 62 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,15 @@
11
package kafka
22

33
import (
4+
"context"
5+
"crypto/tls"
46
"time"
57

68
"github.com/moov-io/achgateway/internal/service"
79
"github.com/moov-io/base/log"
810

911
"github.com/Shopify/sarama"
12+
"github.com/aws/aws-msk-iam-sasl-signer-go/signer"
1013
"gocloud.dev/pubsub"
1114
"gocloud.dev/pubsub/kafkapubsub"
1215
)
@@ -15,30 +18,66 @@ var (
1518
minKafkaVersion = sarama.V2_6_0_0
1619
)
1720

21+
type MSKAccessTokenProvider struct {
22+
Region string
23+
Profile string
24+
RoleARN string
25+
SessionName string
26+
}
27+
28+
func (m *MSKAccessTokenProvider) Token() (*sarama.AccessToken, error) {
29+
var token string
30+
var err error
31+
32+
// Choose the correct AWS authentication method
33+
switch {
34+
case m.Profile != "":
35+
token, _, err = signer.GenerateAuthTokenFromProfile(context.TODO(), m.Region, m.Profile)
36+
case m.RoleARN != "":
37+
token, _, err = signer.GenerateAuthTokenFromRole(context.TODO(), m.Region, m.RoleARN, m.SessionName)
38+
default:
39+
token, _, err = signer.GenerateAuthToken(context.TODO(), m.Region)
40+
}
41+
42+
if err != nil {
43+
return nil, err
44+
}
45+
return &sarama.AccessToken{Token: token}, nil
46+
}
47+
1848
func OpenTopic(logger log.Logger, cfg *service.KafkaConfig) (*pubsub.Topic, error) {
1949
config := kafkapubsub.MinimalConfig()
2050
config.Version = minKafkaVersion
2151
config.Net.TLS.Enable = cfg.TLS
2252

2353
config.Net.SASL.Enable = cfg.Key != ""
24-
config.Net.SASL.Mechanism = sarama.SASLMechanism(cfg.SASLMechanism)
25-
2654
// Default to PLAIN if no SASL mechanism is specified
2755
switch cfg.SASLMechanism {
2856
case "SCRAM-SHA-512":
2957
config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient {
3058
return &XDGSCRAMClient{HashGeneratorFcn: SHA512}
3159
}
32-
config.Net.SASL.Mechanism = sarama.SASLMechanism(cfg.SASLMechanism)
60+
config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA512
3361

3462
case "SCRAM-SHA-256":
3563
config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient {
3664
return &XDGSCRAMClient{HashGeneratorFcn: SHA256}
3765
}
38-
config.Net.SASL.Mechanism = sarama.SASLMechanism(cfg.SASLMechanism)
66+
config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA256
67+
68+
case "AWS_MSK_IAM":
69+
config.Net.SASL.Mechanism = sarama.SASLTypeOAuth
70+
config.Net.SASL.TokenProvider = &MSKAccessTokenProvider{
71+
Region: cfg.AWSRegion,
72+
Profile: cfg.AWSProfile,
73+
RoleARN: cfg.AWSRoleARN,
74+
SessionName: cfg.AWSSessionName,
75+
}
76+
config.Net.TLS.Enable = true
77+
config.Net.TLS.Config = &tls.Config{}
3978

4079
default:
41-
config.Net.SASL.Mechanism = sarama.SASLMechanism("PLAIN")
80+
config.Net.SASL.Mechanism = sarama.SASLTypePlaintext
4281
}
4382

4483
config.Net.SASL.User = cfg.Key
@@ -52,8 +91,10 @@ func OpenTopic(logger log.Logger, cfg *service.KafkaConfig) (*pubsub.Topic, erro
5291
Set("tls", log.Bool(cfg.TLS)).
5392
Set("group", log.String(cfg.Group)).
5493
Set("sasl.enable", log.Bool(config.Net.SASL.Enable)).
94+
Set("sasl.mechanism", log.String(string(config.Net.SASL.Mechanism))).
5595
Set("sasl.user", log.String(cfg.Key)).
5696
Set("topic", log.String(cfg.Topic)).
97+
Set("aws.region", log.String(cfg.AWSRegion)).
5798
Log("opening kafka topic")
5899

59100
return kafkapubsub.OpenTopic(cfg.Brokers, config, cfg.Topic, nil)
@@ -71,16 +112,27 @@ func OpenSubscription(logger log.Logger, cfg *service.KafkaConfig) (*pubsub.Subs
71112
config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient {
72113
return &XDGSCRAMClient{HashGeneratorFcn: SHA512}
73114
}
74-
config.Net.SASL.Mechanism = sarama.SASLMechanism(cfg.SASLMechanism)
115+
config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA512
75116

76117
case "SCRAM-SHA-256":
77118
config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient {
78119
return &XDGSCRAMClient{HashGeneratorFcn: SHA256}
79120
}
80-
config.Net.SASL.Mechanism = sarama.SASLMechanism(cfg.SASLMechanism)
121+
config.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA256
122+
123+
case "AWS_MSK_IAM":
124+
config.Net.SASL.Mechanism = sarama.SASLTypeOAuth
125+
config.Net.SASL.TokenProvider = &MSKAccessTokenProvider{
126+
Region: cfg.AWSRegion,
127+
Profile: cfg.AWSProfile,
128+
RoleARN: cfg.AWSRoleARN,
129+
SessionName: cfg.AWSSessionName,
130+
}
131+
config.Net.TLS.Enable = true
132+
config.Net.TLS.Config = &tls.Config{}
81133

82134
default:
83-
config.Net.SASL.Mechanism = sarama.SASLMechanism("PLAIN")
135+
config.Net.SASL.Mechanism = sarama.SASLTypePlaintext
84136
}
85137

86138
config.Net.SASL.User = cfg.Key
@@ -98,8 +150,10 @@ func OpenSubscription(logger log.Logger, cfg *service.KafkaConfig) (*pubsub.Subs
98150
Set("tls", log.Bool(cfg.TLS)).
99151
Set("group", log.String(cfg.Group)).
100152
Set("sasl.enable", log.Bool(config.Net.SASL.Enable)).
153+
Set("sasl.mechanism", log.String(string(config.Net.SASL.Mechanism))).
101154
Set("sasl.user", log.String(cfg.Key)).
102155
Set("topic", log.String(cfg.Topic)).
156+
Set("aws.region", log.String(cfg.AWSRegion)).
103157
Log("setting up kafka subscription")
104158

105159
return kafkapubsub.OpenSubscription(cfg.Brokers, config, cfg.Group, []string{cfg.Topic}, &kafkapubsub.SubscriptionOptions{

internal/service/model_inbound.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,11 @@ type KafkaConfig struct {
8080
AutoCommit bool
8181
SASLMechanism string
8282

83+
AWSRegion string
84+
AWSProfile string
85+
AWSRoleARN string
86+
AWSSessionName string
87+
8388
Consumer KafkaConsumerConfig
8489
Producer KafkaProducerConfig
8590

0 commit comments

Comments
 (0)