From 35ca4b94ef0e7fc8b61d8279698e8dbc109095cb Mon Sep 17 00:00:00 2001 From: Siddharth Yagnik Date: Thu, 11 Jul 2024 09:50:33 +0100 Subject: [PATCH 1/2] Enabling default credential chain to asynchronously refresh credentials --- .../iam/internals/MSKCredentialProvider.java | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java index f25e68d..ee694bf 100644 --- a/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java +++ b/src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java @@ -15,20 +15,10 @@ */ package software.amazon.msk.auth.iam.internals; -import java.net.URI; -import java.time.Duration; -import java.util.concurrent.ExecutionException; import lombok.AccessLevel; import lombok.Getter; - import org.slf4j.Logger; import org.slf4j.LoggerFactory; - -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.Optional; -import java.util.stream.Collectors; import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; import software.amazon.awssdk.auth.credentials.AwsCredentials; import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; @@ -51,7 +41,6 @@ import software.amazon.awssdk.core.retry.conditions.MaxNumberOfRetriesCondition; import software.amazon.awssdk.core.retry.conditions.RetryCondition; import software.amazon.awssdk.core.retry.conditions.RetryOnExceptionsCondition; -import software.amazon.awssdk.endpoints.Endpoint; import software.amazon.awssdk.profiles.ProfileFileSupplier; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.sts.StsClient; @@ -62,10 +51,19 @@ import software.amazon.awssdk.services.sts.model.AssumeRoleRequest; import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse; +import java.net.URI; +import java.time.Duration; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.concurrent.ExecutionException; +import java.util.stream.Collectors; + /** * This AWS Credential Provider is used to load up AWS Credentials based on options provided on the Jaas config line. - * As as an example + * As an example * sasl.jaas.config = IAMLoginModule required awsProfileName={profile name}; * The currently supported options are: * 1. A particular AWS Credential profile: awsProfileName={profile name} @@ -157,10 +155,10 @@ protected AwsCredentialsProvider getDefaultProvider() { return AwsCredentialsProviderChain.of( EnvironmentVariableCredentialsProvider.create(), SystemPropertyCredentialsProvider.create(), - WebIdentityTokenFileCredentialsProvider.create(), - ProfileCredentialsProvider.create(), - ContainerCredentialsProvider.builder().build(), - InstanceProfileCredentialsProvider.create() + WebIdentityTokenFileCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build(), + ProfileCredentialsProvider.builder().profileFile(ProfileFileSupplier.defaultSupplier()).build(), + ContainerCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build(), + InstanceProfileCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build() ); } From 1b394a611fdb798268f48e76e6f0e1bee7c11893 Mon Sep 17 00:00:00 2001 From: Siddharth Yagnik Date: Thu, 11 Jul 2024 09:50:53 +0100 Subject: [PATCH 2/2] Updating documentation to enable OAUTHBEARER to reauthenticate properly. --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 65f0a4a..d7a0903 100644 --- a/README.md +++ b/README.md @@ -80,11 +80,13 @@ For more details on SASL/OAUTHBEARER mechanism, please read - [KIP-255](https:// security.protocol=SASL_SSL # Identifies the SASL mechanism to use. sasl.mechanism=OAUTHBEARER -# Binds SASL client implementation. +# Binds SASL client implementation. You can add client credential configurations here. sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required; # Encapsulates constructing a SigV4 signature based on extracted credentials. # The SASL client bound by "sasl.jaas.config" invokes this class. sasl.login.callback.handler.class=software.amazon.msk.auth.iam.IAMOAuthBearerLoginCallbackHandler +# This is used during client authentication and reauthentication +sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMOAuthBearerLoginCallbackHandler ``` This configuration finds IAM credentials using the [AWS Default Credentials Provider Chain][DefaultCreds]. To summarize,