AssumeRole Fails for Glue Schema Registry Across Multiple AWS Accounts

[vr-ms]

Hello everyone,

I am facing an issue with multiple AWS accounts, each running MSK Kafka along with a Glue Schema Registry. Currently, each account has its own user for the Serde plugin, and this setup works fine.

We would prefer to manage all permissions via IRSA or at least through a single user account with AssumeRole. When we attempt to access an Glue Schema Registry in another account using AssumeRole, it fails, and we only get the message "fallback serde was used". According to the CloudTrail logs, there is no attempt to perform an AssumeRole for the account.

When I manually execute an AssumeRole using the AWS CLI and subsequently run an aws glue get-schema-version command, it works as expected.

Am I missing something? I have attached the configuration for reference.

kafka:
  clusters:
    - name: msk-cluster
      bootstrapServers: XXXXX
      properties:
        security.protocol: SASL_SSL
        sasl.mechanism: SCRAM-SHA-512
        sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="XXXX" password="XXXX";
      serde:
        - name: GlueSchemaRegistry
          filepath: /glue-serde/kafkaui-serde-glue-v1.0.1-jar-with-dependencies.jar
          classname: io.kafbat.ui.serde.glue.GlueSerde
          properties:
            region: XXXX
            registry: XXXX
            awsaccesskeyid: XXXX
            awssecretaccesskey: XXXX`

[germanosin]

@iliax Could you please check it?

[vr-ms]

I did some more research and came across the following ticket at AWS. https://github.com/awslabs/aws-glue-schema-registry/issues/252

I suspect that this is the problem which is preventing it from working. To make it work, you would have to implement the method mentioned in the ticket.

Unfortunately, I don't know Java to contribute an MR 😞