Skip to content

Add AWS MSK IAM + TLS authentication support #850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 14, 2025
Merged

Add AWS MSK IAM + TLS authentication support #850

merged 1 commit into from
Aug 14, 2025

Conversation

@sklochkov
Copy link
Contributor

@sklochkov sklochkov commented Aug 1, 2025
edited
Loading

This patch lets Burrow talk to Amazon MSK clusters that enforce IAM
(SASL/OAUTHBEARER) over TLS, without sidecars or external proxies.

Highlights

  • New config sections

    • [iam.*] — region, optional role-arn / profile
    • iam = "<name>" key in [client-profile.*] to activate IAM auth
    • Sample added to examples/burrow.toml

  • Helpers

    • iam.go – wraps aws-msk-iam-sasl-signer-go v1.0.4 and implements
      sarama.AccessTokenProvider
    • sarama.go – extends GetSaramaConfigFromClientProfile to:
      • validate iam.* block
      • auto-enable SASLTypeOAuth
      • inject the token provider
      • enforce TLS when IAM is present

  • New dependency

    • github.com/aws/aws-msk-iam-sasl-signer-go → v1.0.4

  • Unit tests

    • 100 % coverage for iam.go; signer calls are stubbed.

  • Docs

    • docs/msk-iam.md – overview, IAM policy snippets, EKS Pod-Identity notes
    • examples/burrow.toml – ready-to-run config with TLS + IAM listener (9098)

Compatibility

  • Existing TLS/SCRAM/PLAINTEXT profiles continue to work unchanged.
  • Burrow panics early if iam.* is used without TLS or region.

@sklochkov sklochkov requested a review from bai as a code owner August 1, 2025 15:33
@sklochkov
Implement AWS IAM auth for Burrow
41c5257 
In order to implement the IAM auth mechanism for Burrow, the following changes
were required.

* The iamTokenProvider struct has been implemented to hold the iam parameters
  provided in the toml configuration file.
* A helper function which leverages the aws-msk-iam-sasl-signer-go/signer
  methods in order to generate the auth token has been provided.
* The token is being assigned to the saramaConfig.Net.SASL structure.

Document TLS+IAM configuration

* tls-iam.md contains a description of the IAM implementation and
  configuration.
* Added a commented section to config/burrow.toml which provides a IAM
  configuration example.
@bai bai merged commit c68689d into linkedin:master Aug 14, 2025
1 check passed
@bai
Copy link
Collaborator

bai commented Aug 14, 2025

Thank you!

@BrewTestBot BrewTestBot mentioned this pull request Oct 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bai bai Awaiting requested review from bai bai is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sklochkov @bai