-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth failure when connecting from cross-region to MSK and cross-cloud #127
Comments
Hello @nihalpot thanks for opening the issue. Please go ahead and send a PR. Could you also provide a setup on how we could re-produce this issue on our end? Also were you using MSK PrivateLInk? https://docs.aws.amazon.com/msk/latest/developerguide/aws-access-mult-vpc.html |
@plazma-prizma thanks for the reply! I wasn't using MSK privatelink, I was using a public endpoint which, as I understand from the documentation, should support cross-region access. To confirm, is this required for cross-region access? For instructions to reproduce the issue:
In particular, we also just need the following lines of code to test this (pulled from internals/AuthenticationRequestParams.java):
with regions.xml installed in aws sdk, this returns null so cross-region access doesn't work |
@plazma-prizma hi I just added a PR here to fix this issue: #130, I have validated it using the process I described earlier Could you please review this when you get a chance? thank you! |
Hello, just to double-check, this issue has been fixed in v1.1.9, is that correct? |
v1.1.8...v1.1.9 shows the diff between 1.1.8 and 1.1.9 |
@plazma-prizma the diff includes #134, which should fix this issue, so I was wondering why this issue is still open. Did the fix work as expected? |
Hey @GiacomoOrlandi-awin , thanks for the heads up. Issue was just left open. I am closing it now. Please feel free to re-open if you think it wasn't solved. |
|
Currently, we were running into an issue with the MSK Client when it fails due to an authentication error both on cross-region (like let's say ec2 instance is in 'us-east-2' and msk instance is in 'us-west-2'), and cross-account (let's say we are trying to connect to msk from a gcp vm). As I understand this is the reasoning for the issue:
In the
AuthenticationRequestParams
, the msk client tries to segment the endpoint to find the region metadata usingtryGetRegionByEndpointDnsSuffix
. In the AWS SDK, if we have defined aregions.xml
file theRegionMetadata
relies on theLegacyRegionXmlMetadataBuilder
to create this. This is built on theInMemoryRegionsProvider
which does not havetryGetRegionByEndpointDnsSuffix
defined (see here). Thereby, we are running on a node which will have regions.xml defined in the AWS SDK the msk client will default to the same region as that of the ec2 instance it is running on.This blocks cross-region access since the region configured in
AuthenticationRequestParams
will be different from the actual region of the MSK broker. Similarly,Regions.getCurrentRegion
won't work for non-ec2 instances so this will run into an error on gcp and azure environments.My proposal to fix this is that the MSK Client should incorporate a
awsRegion
which essentially overwrites the region field inAuthenticationRequestParams
. This is something that is already done for other clients like Kinesis, SNS. What do you think? Should I contribute towards this or can the AWS team build this feature?The text was updated successfully, but these errors were encountered: