Sample example for msk 3rd party openid connect(from PRODUCER AND CONSUMER)

0

Not able to find a proper documentation on 3rd party openid connect integration with msk iam role identity provider. It would be helpful if someone point to right documents or example.

We are registering 3rd party on prem identity provider, but not sure how to connect to msk cluster with these options. below project doesn't have proper documentation.

https://github.com/aws/aws-msk-iam-auth

1 個回答
0

Hello. To create a role for an external OpenID Connect identity provider, please reference the following documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html.

Once the role has been created, you will need to enable clients to communicate with the MSK cluster that uses IAM access control and configure them as described in the following documentation: https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html. To use IAM access control for Amazon MSK, please refer to the following steps listed below:

Further, you can configure a Kafka client to use AWS IAM for authentication by adding the following properties to the client's configuration.

# Sets up TLS for encryption and SASL for authN.
security.protocol = SASL_SSL
# Identifies the SASL mechanism to use.
sasl.mechanism = AWS_MSK_IAM
# Binds SASL client implementation.
sasl.jaas.config = software.amazon.msk.auth.iam.IAMLoginModule required;
# Encapsulates constructing a SigV4 signature based on extracted credentials.
# The SASL client bound by "sasl.jaas.config" invokes this class.
sasl.client.callback.handler.class = software.amazon.msk.auth.iam.IAMClientCallbackHandler

This configuration finds IAM credentials using the AWS Default Credentials Provider Chain. To summarize, the Default Credential Provider Chain looks for credentials in this order:

  1. Environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
  2. Java system properties: aws.accessKeyId and aws.secretKey.
  3. Web Identity Token credentials from the environment or container.
  4. The default credential profiles file– typically located at ~/.aws/credentials (location can vary per platform), and shared by many of the AWS SDKs and by the AWS CLI.
  5. You can create a credentials file by using the aws configure command provided by the AWS CLI, or you can create it by editing the file with a text editor. For information about the credentials file format, see AWS Credentials File Format.
  6. It can be used to load credentials from credential profiles other than the default one by setting the environment variable
  7. AWS_PROFILE to the name of the alternate credential profile. Profiles can be used to load credentials from other sources such as AWS IAM Roles. See AWS Credentials File Format for more details.
  8. Amazon ECS container credentials– loaded from the Amazon ECS if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
  9. Instance profile credentials: used on EC2 instances, and delivered through the Amazon EC2 metadata service.

Please refer to the following documentation for additional configuration and credential file settings for the IAM role: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html.

AWS
Jenna_H
已回答 8 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南