Unable to switch IAM role for accessing Glue Schema Registry #30
Labels
area/serde
Serialization & Deserialization (plugins)
scope/backend
Related to backend changes
type/enhancement
En enhancement/improvement to an already existing feature
Hello,
With Amazon MSK Library for AWS Identity and Access Management, it is possible to switch IAM role for accessing MSK cluster (https://github.com/aws/aws-msk-iam-auth?tab=readme-ov-file#specifying-an-aws-iam-role-for-a-client)
security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM #sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required; sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required awsRoleArn="arn:aws:iam::xxxxxx:role/msk_client_role" awsRoleSessionName="test-msk" ; sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler
This is working fine for Kafka access. Permissions that are checked within kakfa-ui for listing brokers, topics, ... are permissions attached to "msk_client_role" (assumed role)
However this SASL config awsRoleArn has no effect on the serde. Permissions that apply are the one attached to the logged user (AWS credentials authentication chain). Obvisously SASL config apply only to kafka-ui, not to the serde.
Would it be possible for the serde to specify an IAM role that allows Glue Schema Registry Access witjout having to grant this permission to the user?
Thanks in advance,
Olivier
The text was updated successfully, but these errors were encountered: