Compatibility with Pod Identity? #147
Comments
|
Hi. Did you find any fix for this? |
|
nope, but was not looking too hard really |
|
The issue appears to be with the version of the sdk used in this project -- v1 is not supported I'm not very familiar with this space, but based on this commit it looks like the project uses v1.12.638 on the latest release It looks like to support PodIdentity, this project would need to update that 2.21.30 however I have no idea what that entails. |
|
Can you try this with the PR: #157 This updates all the internal usages of Java sdk v1 to v2. |
|
Hello, can this be fixed and release asap ? this is impacting our implementation and we are stuck because of this issue and we are eagerly looking for a solution on this |
Hi @sidyag , sorry for long radio silence, I'll try to see if I can test it soon, although have not done it before without a release I can point my terraform automation at, so will have to research how to do it. |
|
I've noticed that it was merged and see there is version 2.0.3 available now with "Upgrade AWS SKD version" comment (probably should be SDK?) so I gave it a spin today but unfortunately still see the error: WARN Exception loading credentials. Retry Attempts: 0 (software.amazon.msk.auth.iam.internals.MSKCredentialProvider)
aws_msk_iam_auth_shadow.com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [aws_msk_iam_auth_shadow.com.amazonaws.auth.AWSCredentialsProviderChain@17ead63f: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: You must specify a value for roleArn and roleSessionName, software.amazon.msk.auth.iam.internals.EnhancedProfileCredentialsProvider@f94bdf7: Profile file contained no credentials for profile 'default': ProfileFile(sections=[]), aws_msk_iam_auth_shadow.com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@6815eca9: The full URI (http://169.254.170.23/v1/credentials) contained withing environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI has an invalid host. Host should resolve to a loopback address or have the full URI be HTTPS.]]
at aws_msk_iam_auth_shadow.com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:142)
at software.amazon.msk.auth.iam.internals.MSKCredentialProvider.loadCredentialsWithRetry(MSKCredentialProvider.java:158)
at software.amazon.msk.auth.iam.internals.MSKCredentialProvider.getCredentials(MSKCredentialProvider.java:145)
at software.amazon.msk.auth.iam.IAMClientCallbackHandler.handleCallback(IAMClientCallbackHandler.java:100)
at software.amazon.msk.auth.iam.IAMClientCallbackHandler.handle(IAMClientCallbackHandler.java:77)
at software.amazon.msk.auth.iam.internals.IAMSaslClient.generateClientMessage(IAMSaslClient.java:139)
at software.amazon.msk.auth.iam.internals.IAMSaslClient.evaluateChallenge(IAMSaslClient.java:96)
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslToken$1(SaslClientAuthenticator.java:534)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:534)
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslClientToken(SaslClientAuthenticator.java:433)
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendInitialToken(SaslClientAuthenticator.java:332)
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:273)
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:571)
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1381)
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1312)
at java.base/java.lang.Thread.run(Thread.java:829)although I am definitely using the new library Do I need to change client.properties in any way (or something else) to use it? |
|
although.... I just noticed that the 2.0.3 release date was 17th of Jan.... :/ |
|
ok, got gradle set up and tried to build the newest version cloned but regardless of version used (8.7 or 7.6.4) it fails: 8.7 7.6.4 |
|
Not sure about build fail, as it is passing for me. I am working on running tests, and release. |
|
ok, got it working (installing java-devel helps....) |
|
Hello, |
|
The PRs have been released as part of 2.1.0 Could you try and see if that resolves the issue. |
|
Yes, I can confirm it works fine with 2.1.0! Thank you, closing :) |
|
This issue is now closed. Comments on closed issues are hard for our team to see. |
Is this mechanism also compatible with passing credentials through Pod Identity?
I am testing switching from IRSA to Pod Identity in a K8s cluster and pods which have IRSA configured on them can successfully connect to MSK using this module, whereas each time I try to do it via pod with Pod Identity role, it fails, although I can connect to other services allowed by the IAM role so the mechanism itself works fine.
Is there some specific configuration required for this to work here?
I am a bit at a loss if this is this library problem or kafka's client, but I tried using the newest 3.6.1 from here
https://archive.apache.org/dist/kafka/3.6.1/ alongside with version 2.0.2 of this library and it still throws same errors:
AWS Docs are saying here https://docs.aws.amazon.com/eks/latest/userguide/pod-id-minimum-sdk.html:
"EKS Pod Identities have been added to the Container credential provider which is searched in a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload."
I am wondering if the problem is in:
Would appreciate any hints here.
Thanks
The text was updated successfully, but these errors were encountered: