Skip to content

Commit

Permalink
Merge pull request #184 from sidyag/main
Browse files Browse the repository at this point in the history 
Enables default credential providers to asynchronously refresh credentials.
  • Loading branch information
@sidyag
sidyag authored Jul 11, 2024
2 parents 78ef9d5 + 1b394a6 commit 1560a73
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 17 deletions.
4 changes: 3 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,11 +80,13 @@ For more details on SASL/OAUTHBEARER mechanism, please read - [KIP-255](https://
security.protocol=SASL_SSL
# Identifies the SASL mechanism to use.
sasl.mechanism=OAUTHBEARER
# Binds SASL client implementation.
# Binds SASL client implementation. You can add client credential configurations here.
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;
# Encapsulates constructing a SigV4 signature based on extracted credentials.
# The SASL client bound by "sasl.jaas.config" invokes this class.
sasl.login.callback.handler.class=software.amazon.msk.auth.iam.IAMOAuthBearerLoginCallbackHandler
# This is used during client authentication and reauthentication
sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMOAuthBearerLoginCallbackHandler
```

This configuration finds IAM credentials using the [AWS Default Credentials Provider Chain][DefaultCreds]. To summarize,
Expand Down
30 changes: 14 additions & 16 deletions src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,20 +15,10 @@
*/
package software.amazon.msk.auth.iam.internals;

import java.net.URI;
import java.time.Duration;
import java.util.concurrent.ExecutionException;
import lombok.AccessLevel;
import lombok.Getter;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
Expand All @@ -51,7 +41,6 @@
import software.amazon.awssdk.core.retry.conditions.MaxNumberOfRetriesCondition;
import software.amazon.awssdk.core.retry.conditions.RetryCondition;
import software.amazon.awssdk.core.retry.conditions.RetryOnExceptionsCondition;
import software.amazon.awssdk.endpoints.Endpoint;
import software.amazon.awssdk.profiles.ProfileFileSupplier;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
Expand All @@ -62,10 +51,19 @@
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse;

import java.net.URI;
import java.time.Duration;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.stream.Collectors;


/**
* This AWS Credential Provider is used to load up AWS Credentials based on options provided on the Jaas config line.
* As as an example
* As an example
* sasl.jaas.config = IAMLoginModule required awsProfileName={profile name};
* The currently supported options are:
* 1. A particular AWS Credential profile: awsProfileName={profile name}
Expand Down Expand Up @@ -157,10 +155,10 @@ protected AwsCredentialsProvider getDefaultProvider() {
return AwsCredentialsProviderChain.of(
EnvironmentVariableCredentialsProvider.create(),
SystemPropertyCredentialsProvider.create(),
WebIdentityTokenFileCredentialsProvider.create(),
ProfileCredentialsProvider.create(),
ContainerCredentialsProvider.builder().build(),
InstanceProfileCredentialsProvider.create()
WebIdentityTokenFileCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build(),
ProfileCredentialsProvider.builder().profileFile(ProfileFileSupplier.defaultSupplier()).build(),
ContainerCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build(),
InstanceProfileCredentialsProvider.builder().asyncCredentialUpdateEnabled(true).build()
);
}

Expand Down

0 comments on commit 1560a73

Please sign in to comment.