MSK serverless BootstrapBrokerStringTls

Question

https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

Review the heading: 'To set up a client to use authentication'
Item 3.  `On a machine where you have the AWS CLI installed, run the following command to get the bootstrap brokers of the cluster. Replace Cluster-ARN with the ARN of your cluster.

`aws kafka get-bootstrap-brokers --cluster-arn Cluster-ARN`

Save the string associated with BootstrapBrokerStringTls in the response.`

If you try item 3, and you have serverless MSK, you get: `An error occurred (BadRequestException) when calling the DescribeCluster operation: This operation cannot be performed on serverless clusters.`

So what do you do to setup SSL on clients who are using an AWS PrivateLink to access the brokers?

At this time, I am blocked from being able to use the PrivateLink connection to the MSK cluster.  When I try, I get:
`ERROR [Producer clientId=console-producer] Connection to node -1 (XXX.kafka.us-east-1.amazonaws.com/XXX.XXX.XXX.XXX:9098) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
`

Answer

Hi 
you need to use the v2 API:

```
aws kafka list-clusters-v2 --region 
```
```
aws kafka describe-cluster-v2 --cluster-arn 
```

* list-clusters-v2: https://docs.aws.amazon.com/cli/latest/reference/kafka/list-clusters-v2.html
* describe-cluster-v2: https://docs.aws.amazon.com/cli/latest/reference/kafka/describe-cluster-v2.html

For now, MSK Serverless only allows SSL via IAM and not MutualTLS. Follow this guide to achieve IAM authentication. https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html

MSK serverless BootstrapBrokerStringTls

Relevant content