Unable to switch IAM role for accessing Glue Schema Registry

[olivd4400]

Hello,

With Amazon MSK Library for AWS Identity and Access Management, it is possible to switch IAM role for accessing MSK cluster (https://github.com/aws/aws-msk-iam-auth?tab=readme-ov-file#specifying-an-aws-iam-role-for-a-client)

` security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM

sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required;

sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required awsRoleArn="arn:aws:iam::xxxxxx:role/msk_client_role" awsRoleSessionName="test-msk" ; sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler `

This is working fine for Kafka access. Permissions that are checked within kakfa-ui for listing brokers, topics, ... are permissions attached to "msk_client_role" (assumed role)

However this SASL config awsRoleArn has no effect on the serde. Permissions that apply are the one attached to the logged user (AWS credentials authentication chain). Obvisously SASL config apply only to kafka-ui, not to the serde.

Would it be possible for the serde to specify an IAM role that allows Glue Schema Registry Access witjout having to grant this permission to the user?

Thanks in advance, Olivier

[olivd4400]

Hello,

We have figured out that it is not only a nice to have enhancement but a real issue when using AWS assumed roles. IAM roles can be assumed for a period from 1h to 12h.

When role that has been used to run kafka-ui has expired, It is still possible to access MSK since IAMLoginModule is refreshing credentials in a background task https://github.com/aws/aws-msk-iam-auth/commit/35ca4b94ef0e7fc8b61d8279698e8dbc109095cb but Serde stops working since original credentials have expired.

Thanks in advance, Olivier