Enables developers to use AWS Identity and Access Management (IAM) to connect to their Amazon Managed Streaming for Apache Kafka (Amazon MSK) clusters.
Apache License 2.0
142
stars
65
forks
source link
Running with the same creds results in one success and one access denied error #125
Hi aws-msk-iam-auth team,
I have this issue when running the same command bin/kafka-topics.sh --list with the same kafka library, aws-msk module and aws credentials (verified by looking at the log with awsDebugCreds=true on) on 2 machines and one succeeded but one said Access denied
debug log when running the command
DEBUG AWS4 Canonical Request: '"GET
/
Action=kafka-cluster%3AConnect&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<my-cred>%2F20230619%2Fus-east-2%2Fkafka-cluster%2Faws4_request&X-Amz-Date=20230619T101505Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host
host:b-1.awsmsk-prod-segmed-kaf.quelkb.c7.kafka.us-east-2.amazonaws.com
host
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" (aws_msk_iam_auth_shadow.com.amazonaws.auth.AWS4Signer)
DEBUG AWS4 String to Sign: '"AWS4-HMAC-SHA256
20230619T101505Z
20230619/us-east-2/kafka-cluster/aws4_request
6f2da0fbed83c77b4175c8d043342584a870036801cbaaaa9f3d8c8e9c49dde1" (aws_msk_iam_auth_shadow.com.amazonaws.auth.AWS4Signer)
DEBUG Generating a new signing key as the signing key not available in the cache for the date 1687132800000 (aws_msk_iam_auth_shadow.com.amazonaws.auth.AWS4Signer)
DEBUG Setting SASL/AWS_MSK_IAM.824009085 client state to RECEIVE_SERVER_RESPONSE (software.amazon.msk.auth.iam.internals.IAMSaslClient)
DEBUG State RECEIVE_SERVER_RESPONSE at end of evaluating challenge (software.amazon.msk.auth.iam.internals.IAMSaslClient)
DEBUG [AdminClient clientId=adminclient-1] Set SASL client state to INTERMEDIATE (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
DEBUG [AdminClient clientId=adminclient-1] Set SASL client state to FAILED (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
INFO [AdminClient clientId=adminclient-1] Failed authentication with <node-address> (channelId=-1) ([9f1155de-5d87-4579-9ce2-dd104c7fb38c]: Access denied) (org.apache.kafka.common.network.Selector)
INFO [AdminClient clientId=adminclient-1] Node -1 disconnected. (org.apache.kafka.clients.NetworkClient)
ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (<node-address>) failed authentication due to: [9f1155de-5d87-4579-9ce2-dd104c7fb38c]: Access denied (org.apache.kafka.clients.NetworkClient)
I think we need more information to debug this. I recommend cutting a support ticket on your account with your cluster details along with the role details for the role you are using to access the cluster.
Hi aws-msk-iam-auth team, I have this issue when running the same command
bin/kafka-topics.sh --list
with the same kafka library, aws-msk module and aws credentials (verified by looking at the log with awsDebugCreds=true on) on 2 machines and one succeeded but one saidAccess denied
debug log when running the command
my config file
Could you take a look to see what can be the reason for this issue? Thanks, Mo