-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for aws mks iam #2192
Conversation
@sethpollack thanks for raising this I wasn't aware that AWS had implented their own custom SASL mechanism for this, rather than adopting one of the existing standards. Whilst I can understand that people using AWS would like this support, ideally we wouldn't want to a) introduce a direct dependency on awk sdks for everyone or b) have service-specific configuration parameters etc. — this is also quite hard for us to regression test without provisioning a live service I notice that other kafka clients had this support added using a pluggable "opt-in" sasl provider architecture. I wonder how much work it would be to achieve a similar result with Sarama? i.e., keeping the dependencies and configuration in a separate module path that people can opt-in to using by pulling it in as a dependency |
@dnwe Another option would be to use |
I was implementing the same feature for a Kafka Terraform provider that relies on Sarama and I went for this last solution @sethpollack mentioned: using a custom The problem is Sarama is not flexible right now: in many points the code checks if the mechanism is strictly "SASLTypeSCRAMSHA256" or "SASLTypeSCRAMSHA512", there is no room to add new mechanisms. I would propose to enforce a generalized "SASLTypeSCRAM" mechanism and, in addition to that, introduce a flexible mechanism name (i.e. "SCRAM-SHA-256, "SCRAM-SHA-512", "AWS_MSK_IAM") that could be externally specified. I think these modifications, with the already-in-place possibility to specify a custom What do you think? |
Any updates on this? We use Sarama for a large number of our services, and would love to keep using it, but are considering moving over to kafka-go because it has IAM support. |
@sethpollack for SASL.User/SASL.Password do you have to provide a static accesskey/secretkey? https://github.com/Shopify/sarama/blob/f16c9d8fbe4866c970b20a08be14d57553b0b660/broker.go#L1417 mentions user/pw |
I think that gets ignored for IAM. IAM has a few options: |
Any updates on this? When can Sarama provide IAM support? |
Please :) |
Up for 2023 NY ;) |
Any updates? Do you know when it will be merged? |
@sethpollack would you have a moment to sign the CLA so we can get this merged? 🙏🏻 |
@austinorth unfortunately that CLA is asking for way too much personal information, I don't feel comfortable signing it. |
@sethpollack ahhh worddd |
@sethpollack can I fork you PR to get it merged? |
@bpaquet Yes |
Hi! Is there any update on this PR? Thanks |
+1 |
+1 |
This PR was superseded by #2482 which is waiting for more testing feedback from AWS users and the /v2 version boundary of Sarama (because it will change the client API for auth) |
fixes #1985
usage would look like: