By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

New clusters have "BootstrapBrokerStringTls"

0

I'm trying to create MSK clusters, and since yesterday somewhen early afternoon in CEST a newly created cluster no longer has a "BootstrapBrokerString", but rather aws kafka get-bootstrap-brokers returns a response with only "BootstrapBrokerStringTls".

This is clearly an unexpected API change, in a GA product. I would have expected that any move towards TLS-support (yeah! great! awesome!) would be announced, and would not affect existing documented things.

Switching to TLS will be quite some work, so right now I rather would not want to do that. How can I get back to the previous behavior?

EDIT: I'm also looking at the AWS console now. The cluste says "TLS client authentication" is "Disabled", and enryption in transit between clients and brokers is "Only TLS encrypted traffic allowed". So I guess that makes sense that the client information only returns "TLS" entries.

I looked at bit further, and it seems that the API behavior indeed changed, and the TLS options appeared. The default is said to be "TLS/Plaintext" at https://aws.amazon.com/msk/faqs/ (which probably would still produce a BootstrapBrokerStringTls), the actual default I saw looks like "TLS" though.

I'm now trying to adapt at least my creation scripts to explicitly configure ClientBroker encryption as 'PLAINTEXT', and then will have to work out how to move towards a "both" situation.

Edited by: ankon on Jun 21, 2019 11:48 AM: Added information for console output, and my next steps.

Edited by: ankon on Jun 21, 2019 12:11 PM: Updated with more information from documentation where I could find references to the change.

Topics
Analytics
Tags
Amazon Managed Streaming for Apache Kafka (Amazon MSK)
Language
English
ankon
asked 5 years ago362 views
3 Answers
0

Hi. We launched TLS support at GA and we are currently moving to a default setting of TLS for our APIs. We will be updating our documentation and making an announcement in the Forums to communicate this change. You can change the default setting and disable TLS at the time of creation by selecting TLS_PLAINTEXT, or PLAINTEXT for the ClientBroker parameter. We expect this default behavior to be rolled out to all regions by 6/25. We will also make it possible to update existing clusters encryption settings at a future date. Learn More: https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html

AWS-User-6643836
answered 5 years ago
0

Thank you for replying!

We launched TLS support at GA and we are currently moving to a default setting of TLS for our APIs. We will be updating our documentation and making an announcement in the Forums to communicate this change.

Right. It's this change in defaults that tripped me quite hard, as it essentially broke the glue scripts we prepare for a disaster recovery scenario and for automating our deployments.

I've now updated my awscli package, and modified the scripts to set the EncryptionInfo fields to disable TLS for now.

Are you already aware of any other changes in defaults that are going to happen and that I should prepare for?

ankon
answered 5 years ago
0

Glad you were able to get it working. There are no other planned default changes to the API.

AWS-User-6643836
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content