# KafkaMskAuth
`kafka_msk_auth` is an authentication plugin for `brod` and `broadway_kafka`. It enables Broadway Kafka clients to authenticate with Amazon's Managed Streaming for Apache Kafka(Amazon MSK) via [AWS_MSK_IAM](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html) SASL mechanism as well as [OAuthBearer](https://docs.confluent.io/platform/current/security/authentication/sasl/oauthbearer/overview.html).
This code is heavily based upon [`ex_aws_msk_iam_auth`](https://github.com/BigThinkcode/ex_aws_msk_iam_auth/) but was extended to support the OAUTHBEARER auth mechanism as well as role based auth.
## Installation
Add the following dependency to your `mix.exs`
```elixir
def deps do
[
{:kafka_msk_auth, "~> 0.1.0"}
]
end
```
## Usage
Broadway Kafka supports connecting to Kafka broker via SASL authentication. The following sample configuration shows how `kafka_msk_auth` plugin can be used with it.
Ref: https://hexdocs.pm/broadway_kafka/BroadwayKafka.Producer.html#module-client-config-options
```elixir
client_config: [
sasl:
{
:callback,
KafkaMskAuth.MskIamAuth,
{:MSK_IAM_AUTH, %{access_key_id: "AWS_ACCESS_KEY_ID", secret_access_key: "AWS_SECRET_ACCESS_KEY"}}
},
ssl: true
]
```
## Background
### Broadway Kafka and brod
[Broadway Kafka](https://github.com/dashbitco/broadway_kafka) is a Kafka Connector for [Broadway](https://github.com/dashbitco/broadway) - an Elixir library to build concurrent, multi-stage data ingestion/processing pipelines with Elixir.
Broadway Kafka is an amalgamation of awesome features from Broadway with Kafka as a producer. Internally, it uses [brod](https://github.com/kafka4beam/brod) as its Kafka client acting as a wrapper. Brod supports `SASL PLAIN`, `SCRAM-SHA-256` and `SCRAM-SHA-512` authentication mechanisms out of the box and also offers extension points to support custom [authentication plugins](https://github.com/kafka4beam/brod#authentication-support).
### AWS MSK Authentication Mechanisms
MSK supports two variants - MSK Fully Managed and MSK Serverless. In both the variants, Kafka service can be protected via SASL, in particular, AWS's custom SASL mechanism AWS_MSK_IAM(https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html). At the time of writing this library, MSK's Serverless variant's only supported authentication was AWS_MSK_IAM SASL mechanism.
### Solution Diagram
![Solution Diagram](solution.png)
### Implementation
This library takes inspiration from its Java counterpart [aws-msk-iam-auth](https://github.com/aws/aws-msk-iam-auth)
### Relevant Issues/PRs
1. https://github.com/dashbitco/broadway_kafka/issues/82
2. https://github.com/dashbitco/broadway_kafka/pull/85
3. https://github.com/aws-beam/aws_signature/issues/14