Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add AWS_IAM SASL protocol #402

Merged
merged 3 commits into from
Jun 24, 2019
Merged

feat: add AWS_IAM SASL protocol #402

merged 3 commits into from
Jun 24, 2019

Conversation

kjdelisle
Copy link
Contributor

Uses the unique UserId of an IAM identity, the Access Key ID,
Secret Access Key and optional Session Token to authorize with a
Kafka broker.

The Kafka broker must also have the SASL/AWS login module
from kafka-auth-aws-iam in order to make use of this auth mode.

@tulios
Copy link
Owner

tulios commented Jun 20, 2019

This is really cool @kjdelisle

Can you add a snippet on how the configuration looks like in the docs?
https://github.com/tulios/kafkajs/blob/master/docs/Configuration.md#-sasl

Something like:

sasl: {
  mechanism: 'aws',
  authorizationIdentity: 'fooMacFoo', // IAM user
  accessKeyId: 'AKIAIOSFODNN7EXAMPLE',
  secretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
}

and maybe a link to https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#iam-user-name-and-password as people usually get confused about where to get these things.

package.json Outdated
@@ -1,6 +1,6 @@
{
"name": "kafkajs",
"version": "1.8.0",
"version": "1.9.0",
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also keep this as 1.8.0? We will bump the version once we release 1.9

Uses the unique UserId of an IAM identity, the Access Key ID,
Secret Access Key and optional Session Token to authorize with a
Kafka broker.

The Kafka broker must also have the SASL/AWS login module
from
[kafka-auth-aws-iam](https://github.com/STACK-Fintech/kafka-auth-aws-iam)
in order to make use of this auth mode.
@kjdelisle
Copy link
Contributor Author

kjdelisle commented Jun 20, 2019

@tulios Sorry that took so long! I was writing up some additional documentation for an edge-case where users would need to trim the caller-specified-role-id from a returned aws:userid, when I realized it would be better if the broker plugin simply handled that case for them.

Once I fixed it, tested it and released it, I came back to rewrite the rest of the documentation here (and hopefully make it a lot easier for users to deal with!)

@Nevon Nevon merged commit 860a54d into tulios:master Jun 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants