AWS IAM

How to configure AWS IAM Authentication

Kafbat UI comes with a built-in aws-msk-iam-auth library.

You could pass SASL configs in the properties section for each cluster.

More details could be found here: aws-msk-iam-auth

More about permissions: MSK (+Serverless) Setup

Authentication Options

AWS profile-based authentication (awsProfileName)
IAM Role-based authentication (awsRoleArn with optional session config)

Examples:

Please replace

<KAFKA_URL> with broker list
<PROFILE_NAME> with your AWS profile
<ROLE_ARN> with the AWS IAM Role ARN
<SESSION_NAME> with a custom role session name (optional)
<STS_REGION> with the AWS region for STS (optional)

Running From Docker Image

Using awsProfileName:

docker run -p 8080:8080 \
    -e KAFKA_CLUSTERS_0_NAME=local \
    -e KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=<KAFKA_URL> \
    -e KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL \
    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=AWS_MSK_IAM \
    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_CLIENT_CALLBACK_HANDLER_CLASS=software.amazon.msk.auth.iam.IAMClientCallbackHandler \
    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG='software.amazon.msk.auth.iam.IAMLoginModule required awsProfileName="<PROFILE_NAME>";' \
    -d ghcr.io/kafbat/kafka-ui

Using awsRoleArn and optional fields:

docker run -p 8080:8080 \
    -e KAFKA_CLUSTERS_0_NAME=local \
    -e KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=<KAFKA_URL> \
    -e KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL \
    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=AWS_MSK_IAM \
    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_CLIENT_CALLBACK_HANDLER_CLASS=software.amazon.msk.auth.iam.IAMClientCallbackHandler \
    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG='software.amazon.msk.auth.iam.IAMLoginModule required awsRoleArn="<ROLE_ARN>" awsRoleSessionName="<SESSION_NAME>" awsStsRegion="<STS_REGION>";' \
    -d ghcr.io/kafbat/kafka-ui

Configuring by application.yaml

Using awsProfileName:

kafka:
  clusters:
    - name: local
      bootstrapServers: <KAFKA_URL>
      properties:
        security.protocol: SASL_SSL
        sasl.mechanism: AWS_MSK_IAM
        sasl.client.callback.handler.class: software.amazon.msk.auth.iam.IAMClientCallbackHandler
        sasl.jaas.config: software.amazon.msk.auth.iam.IAMLoginModule required awsProfileName="<PROFILE_NAME>";

Using awsRoleArn and optional fields:

kafka:
  clusters:
    - name: local
      bootstrapServers: <KAFKA_URL>
      properties:
        security.protocol: SASL_SSL
        sasl.mechanism: AWS_MSK_IAM
        sasl.client.callback.handler.class: software.amazon.msk.auth.iam.IAMClientCallbackHandler
        sasl.jaas.config: software.amazon.msk.auth.iam.IAMLoginModule required awsRoleArn="<ROLE_ARN>" awsRoleSessionName="<SESSION_NAME>" awsStsRegion="<STS_REGION>";

PreviousFor Kafka NextSASL_SCRAM

Last updated 7 months ago

Was this helpful?

hashtagAuthentication Options

hashtagExamples:

hashtagRunning From Docker Image

hashtagConfiguring by application.yaml

Authentication Options

Examples:

Running From Docker Image

Configuring by application.yaml