Skip to content

Conversation

@sklochkov
Copy link
Contributor

@sklochkov sklochkov commented Aug 1, 2025

This patch lets Burrow talk to Amazon MSK clusters that enforce IAM
(SASL/OAUTHBEARER) over TLS, without sidecars or external proxies.

Highlights

  • New config sections

    • [iam.*] — region, optional role-arn / profile
    • iam = "<name>" key in [client-profile.*] to activate IAM auth
    • Sample added to examples/burrow.toml
  • Helpers

    • iam.go – wraps aws-msk-iam-sasl-signer-go v1.0.4 and implements
      sarama.AccessTokenProvider
    • sarama.go – extends GetSaramaConfigFromClientProfile to:
      • validate iam.* block
      • auto-enable SASLTypeOAuth
      • inject the token provider
      • enforce TLS when IAM is present
  • New dependency

    • github.com/aws/aws-msk-iam-sasl-signer-go → v1.0.4
  • Unit tests

    • 100 % coverage for iam.go; signer calls are stubbed.
  • Docs

    • docs/msk-iam.md – overview, IAM policy snippets, EKS Pod-Identity notes
    • examples/burrow.toml – ready-to-run config with TLS + IAM listener (9098)

Compatibility

  • Existing TLS/SCRAM/PLAINTEXT profiles continue to work unchanged.
  • Burrow panics early if iam.* is used without TLS or region.

@sklochkov sklochkov requested a review from bai as a code owner August 1, 2025 15:33
In order to implement the IAM auth mechanism for Burrow, the following changes
were required.

* The iamTokenProvider struct has been implemented to hold the iam parameters
  provided in the toml configuration file.
* A helper function which leverages the aws-msk-iam-sasl-signer-go/signer
  methods in order to generate the auth token has been provided.
* The token is being assigned to the saramaConfig.Net.SASL structure.

Document TLS+IAM configuration

* tls-iam.md contains a description of the IAM implementation and
  configuration.
* Added a commented section to config/burrow.toml which provides a IAM
  configuration example.
@bai bai merged commit c68689d into linkedin:master Aug 14, 2025
1 check passed
@bai
Copy link
Collaborator

bai commented Aug 14, 2025

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants