search

aws / aws-msk-iam-auth

Enables developers to use AWS Identity and Access Management (IAM) to connect to their Amazon Managed Streaming for Apache Kafka (Amazon MSK) clusters.
Apache License 2.0
137 stars 65 forks source link

Auth Failure while re connecting to AWS MSK Cluster using IAM ROLE #116

Closed RishiBaid closed 4 days ago

RishiBaid commented 1 year ago

We are using below aws-msk version

<dependency>
            <groupId>software.amazon.msk</groupId>
            <artifactId>aws-msk-iam-auth</artifactId>
            <version>1.1.3</version>
            <exclusions>
                <exclusion>
                    <groupId>com.fasterxml.jackson.core</groupId>
                    <artifactId>jackson-databind</artifactId>
                </exclusion>
            </exclusions>
</dependency>

and we are setting the following property while connecting to the msk cluster version (3.3.1)

  Properties properties = new Properties();
  properties.put(AdminClientConfig.SECURITY_PROTOCOL_CONFIG,"SASL_SSL");
  properties.put("sasl.mechanism","AWS_MSK_IAM");
  properties.put("sasl.jaas.config","software.amazon.msk.auth.iam.IAMLoginModule required awsProfileName=\'dev-lineage-23\';");
  properties.put("sasl.client.callback.handler.class","software.amazon.msk.auth.iam.IAMClientCallbackHandler");

First deployment of the above code works fine we are successfully connect with MSK. But when we re deploy the code with no changes made on the same EC2 machine. we are getting the following error.

Error occured during create topic = order with error org.apache.kafka.common.errors.SaslAuthenticationException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: Exception while evaluating challenge [Caused by javax.security.auth.callback.UnsupportedCallbackException: Unsupported callback type: class: software.amazon.msk.auth.iam.internals.AWSCredentialsCallback classloader: ParallelWebappClassLoader
  context: Unknown
  delegate: false
----------> Parent Classloader:
java.net.URLClassLoader@1fb3ebeb
 from class: software.amazon.msk.auth.iam.IAMClientCallbackHandler classloader: ParallelWebappClassLoader
  context: lineage
  delegate: false
----------> Parent Classloader:
java.net.URLClassLoader@1fb3ebeb
]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.

MSK is setup to authenticate via IAM ROLE.

hhkkxxx133 commented 1 year ago

Thanks for reaching out. Can you try using the latest version 1.1.6 of our library? If the issue still persists, please let us know.

cnukwas commented 1 year ago

@hhkkxxx133 I am seeing a similar issue when using MirrorMaker2 with MSK Connect. I couldn't find anything in the logs to confirm if it's using latest version of the aws-msk-iam-auth or not. Is there any way to check this and/or configure it to use the latest jar?

Thanks

github-actions[bot] commented 2 months ago

We have noticed this issue has not received attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.