search

aws / aws-msk-iam-auth

Enables developers to use AWS Identity and Access Management (IAM) to connect to their Amazon Managed Streaming for Apache Kafka (Amazon MSK) clusters.
Apache License 2.0
142 stars 65 forks source link

Running with the same creds results in one success and one access denied error #125

Closed segmedmo closed 1 year ago

segmedmo commented 1 year ago

Hi aws-msk-iam-auth team, I have this issue when running the same command bin/kafka-topics.sh --list with the same kafka library, aws-msk module and aws credentials (verified by looking at the log with awsDebugCreds=true on) on 2 machines and one succeeded but one said Access denied

debug log when running the command 

DEBUG AWS4 Canonical Request: '"GET
/
Action=kafka-cluster%3AConnect&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<my-cred>%2F20230619%2Fus-east-2%2Fkafka-cluster%2Faws4_request&X-Amz-Date=20230619T101505Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host
host:b-1.awsmsk-prod-segmed-kaf.quelkb.c7.kafka.us-east-2.amazonaws.com

host
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" (aws_msk_iam_auth_shadow.com.amazonaws.auth.AWS4Signer)
DEBUG AWS4 String to Sign: '"AWS4-HMAC-SHA256
20230619T101505Z
20230619/us-east-2/kafka-cluster/aws4_request
6f2da0fbed83c77b4175c8d043342584a870036801cbaaaa9f3d8c8e9c49dde1" (aws_msk_iam_auth_shadow.com.amazonaws.auth.AWS4Signer)
DEBUG Generating a new signing key as the signing key not available in the cache for the date 1687132800000 (aws_msk_iam_auth_shadow.com.amazonaws.auth.AWS4Signer)
DEBUG Setting SASL/AWS_MSK_IAM.824009085 client state to RECEIVE_SERVER_RESPONSE (software.amazon.msk.auth.iam.internals.IAMSaslClient)
DEBUG State RECEIVE_SERVER_RESPONSE at end of evaluating challenge (software.amazon.msk.auth.iam.internals.IAMSaslClient)
DEBUG [AdminClient clientId=adminclient-1] Set SASL client state to INTERMEDIATE (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
DEBUG [AdminClient clientId=adminclient-1] Set SASL client state to FAILED (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
INFO [AdminClient clientId=adminclient-1] Failed authentication with <node-address> (channelId=-1) ([9f1155de-5d87-4579-9ce2-dd104c7fb38c]: Access denied) (org.apache.kafka.common.network.Selector)
INFO [AdminClient clientId=adminclient-1] Node -1 disconnected. (org.apache.kafka.clients.NetworkClient)
ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (<node-address>) failed authentication due to: [9f1155de-5d87-4579-9ce2-dd104c7fb38c]: Access denied (org.apache.kafka.clients.NetworkClient)

my config file

#ssl.truststore.location=
security.protocol=SASL_SSL
sasl.mechanism=AWS_MSK_IAM
sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required awsDebugCreds=true awsProfileName=custom;
sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler

Could you take a look to see what can be the reason for this issue? Thanks, Mo

sidyag commented 1 year ago

I think we need more information to debug this. I recommend cutting a support ticket on your account with your cluster details along with the role details for the role you are using to access the cluster.