Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to use regional sts endpoint when running on KDA app #118

Closed
menuetb opened this issue Apr 27, 2023 · 9 comments
Closed

Unable to use regional sts endpoint when running on KDA app #118

menuetb opened this issue Apr 27, 2023 · 9 comments

Comments

@menuetb
Copy link
Contributor

menuetb commented Apr 27, 2023

I'm writing a KDA application that needs to read data from an MSK cluster in another account.
The VPC does not have internet access.
I set up a regional endpoint for STS in my VPC.
The MSK cluster uses IAM authentication and the set up of the cross account trust policy is done.

Here is the conf for my aws-msk-iam-auth client:

.setProperty("security.protocol", "SASL_SSL")
.setProperty("sasl.mechanism", "AWS_MSK_IAM")
.setProperty("sasl.jaas.config", "software.amazon.msk.auth.iam.IAMLoginModule required awsStsRegion=\""+ defaultRegion + "\" awsRoleArn=\""+ roleArn +"\" awsRoleSessionName=\"consumer\";")
.setProperty("sasl.client.callback.handler.class", "software.amazon.msk.auth.iam.IAMClientCallbackHandler")

I see in the logs that the client is not trying to use the regional endpoint that I configured but that he is still trying to use the global endpoint.

Caused by: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/52.119.198.216] failed: connect timed out

So I can't use STS with an MSK app in a VPC without an internet connection.

menuetb added a commit to menuetb/aws-msk-iam-auth that referenced this issue Apr 27, 2023
@cnukwas
Copy link

cnukwas commented May 2, 2023

I am running into very same issue though the documentation states that IAM java code should use the regional STS endpoint with MirrorMaker2 and MSK Connect to replicate Kafka data from one cluster to another.
Did you find any workaround for this issue since creating a interface endpoint for sts doesn't seem to be helping?

Thanks

@menuetb
Copy link
Contributor Author

menuetb commented May 2, 2023

The first things to try is to follow https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
and set

[default]
sts_regional_endpoints = regional

If you can't (it was my case with KDA), I created a PR with a fix: #119 we need to wait for it to be merged.

@cnukwas
Copy link

cnukwas commented May 2, 2023

Thank you @menuetb for the response. I am using MSK Connect and I don't know if there is an option to set sts_regional_endpoints = regional in the properties though I have set the region and rolearn as below.

target.cluster.producer.sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required awsRoleArn="arn:aws:iam::xxxyyyzzz:role/msk-access-test" awsDebugCreds=true awsStsRegion="ca-central-1";

hhkkxxx133 pushed a commit to hhkkxxx133/aws-msk-iam-auth that referenced this issue Aug 17, 2023
- Revert "Remove formatting"
  This reverts commit 45be4a5.
- Revert "use API to get ServiceEndpoint"
  This reverts commit e68c800.
- Revert "add tests & remove unnesseray import"
  This reverts commit 8f735c0.
- Revert "Update MSKCredentialProvider.java"
  This reverts commit 34d68b2.
- Revert "Add support for STS Regional Endpoint (aws#118)"
  This reverts commit ed0027f.
@hhkkxxx133
Copy link
Contributor

hhkkxxx133 commented Aug 18, 2023

We are reverting the commits in #136 as we are seeing the following issue where passing only awsRoleArn to Jaas config without using an overrided awsStsRegion.

An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: Failed to find AWS IAM Credentials [Caused by aws_msk_iam_auth_shadow.com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Credential should be scoped to a valid region. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: 14905a5d-2bf2-4ff1-976a-c7d7ca5b9a02; Proxy: null)]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.) (org.apache.kafka.common.network.Selector)

@plazma-prizma
Copy link
Contributor

We also have this PR, are they related? #37

@menuetb
Copy link
Contributor Author

menuetb commented Oct 25, 2023

No, this PR #37 is useful if you can set the environment variable AWS_STS_REGIONAL_ENDPOINTS. In services such as Managed Service for Apache Flink we cant set this environment variable

@agodwinflut
Copy link

agodwinflut commented Nov 15, 2023

FWIW this also affects Scala Spark jobs on Glue.

Also, although only slightly related, the recently released MSK IAM library for Python has exactly the same problem. So pyflink and pyspark on Glue do not work with IAM and VPC endpoints for the same reason.

@hhkkxxx133 I think I can see why the error you mentioned was happening.

If the region parameter is not set, it defaults to "aws-global". But:

new EndpointConfiguration("sts.amazonaws.com", "aws-global")

is not valid, hence the error message: "Credential should be scoped to a valid region"

I think the logic is in the wrong place, the decision should happen when the STS client is constructed, something like:

AWSSecurityTokenServiceClientBuilder stsClientBuilder = AWSSecurityTokenServiceClientBuilder.standard();
if ("aws-global".equals(stsRegion)) {
    stsClientBuilder.setRegion(stsRegion);  // this is the existing behaviour
} else {
    stsClientBuilder.setEndpointConfiguration(
        new EndpointConfiguration(String.format("sts.%s.amazonaws.com", stsRegion), stsRegion)
    );
}
AWSSecurityTokenService stsClient = stsClientBuilder.build();

Alternatively, a separate parameter in the jaas config could be used, eg awsStsEndpoint. in some ways I think I prefer this second approach, because it makes very clear the intent of the user is to override the endpoint configuration.

I can submit a PR, if either of these approaches are OK?

Andy

@sidyag
Copy link
Contributor

sidyag commented Dec 5, 2023

Thank you for the comment. This indeed fixed the issue we were having. I have merged the change already. Closing the issue.

@sidyag sidyag closed this as completed Dec 5, 2023
Copy link

github-actions bot commented Dec 5, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants