Enables developers to use AWS Identity and Access Management (IAM) to connect to their Amazon Managed Streaming for Apache Kafka (Amazon MSK) clusters.
Apache License 2.0
138
stars
65
forks
source link
IAMOAuthBearerLoginCallbackHandler uses wrong profile to look up region #160
I am using profile configuration and have a profile called "qa-kafka" that contains my credentials and the necessary region where I connect to MSK.
When authenticating Kafka using an OAuth Bearer Token, it creates an instance of IAMOAuthBearerLoginCallbackHandler and then configures it. The MSKCredentialProvider instance is configured correctly:
However, the awsRegionProvider field is unconditionally configured as a DefaultAwsRegionProviderChain instance. As a result, the profile there is default:
I do not have a default profile configured; now my kafka authentication fails with
[INFO ] [AdminClient clientId=<xxx>] Failed authentication with <yyy>.kafka.us-west-2.amazonaws.com/a.b.c.d (channelId=-3) (An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: AWS region could not be resolved. [Caused by java.io.IOException: AWS region could not be resolved.]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.)
This seems to be a bug. The region provider should use the same profile as the credential provider.
I am using profile configuration and have a profile called "qa-kafka" that contains my credentials and the necessary region where I connect to MSK.
When authenticating Kafka using an OAuth Bearer Token, it creates an instance of
IAMOAuthBearerLoginCallbackHandlerand then configures it. TheMSKCredentialProviderinstance is configured correctly:However, the
awsRegionProviderfield is unconditionally configured as aDefaultAwsRegionProviderChaininstance. As a result, the profile there isdefault:I do not have a default profile configured; now my kafka authentication fails with
[INFO ] [AdminClient clientId=<xxx>] Failed authentication with <yyy>.kafka.us-west-2.amazonaws.com/a.b.c.d (channelId=-3) (An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: AWS region could not be resolved. [Caused by java.io.IOException: AWS region could not be resolved.]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.)This seems to be a bug. The region provider should use the same profile as the credential provider.