Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-msk-alpha: Cluster enforces incorrect authentication constraint #32779

Open
1 task
jkahn117 opened this issue Jan 7, 2025 · 2 comments · May be fixed by #31743
Open
1 task

aws-msk-alpha: Cluster enforces incorrect authentication constraint #32779

jkahn117 opened this issue Jan 7, 2025 · 2 comments · May be fixed by #31743
Labels
@aws-cdk/aws-msk Related to Amazon Managed Streaming for Apache Kafka (Amazon MSK) bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@jkahn117
Copy link

jkahn117 commented Jan 7, 2025

Describe the bug

The Cluster construct in the aws-msk-alpha package currently enforces an erroneous authentication constraint on line 499-504.

The current version prevents SCRAM and IAM authentication from being configured at the same time on the cluster. This behavior is incorrect. Amazon MSK allows multiple authentication modes and cluster can be configured in the AWS Console as such (see screenshot).

Screenshot 2025-01-07 at 9 11 55 AM

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Allow MSK cluster to be configured with both IAM and SCRAM auth at the same time.

Current Behavior

Raises an exception stating Only one client authentication method can be enabled.

Reproduction Steps

new msk.Cluster(this, 'KafkaCluster', {
      clusterName: 'test',
      kafkaVersion: msk.KafkaVersion.V3_6_0,
      vpc: props.vpc,
      securityGroups: [ props.securityGroup ],
      encryptionInTransit: {
        clientBroker: msk.ClientBrokerEncryption.TLS,
      },
      clientAuthentication: msk.ClientAuthentication.sasl({
        scram: true,
        iam: true,
      }),
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.174.0 (build 9604329)

Framework Version

No response

Node.js Version

v23.5

OS

MacOs

Language

TypeScript

Language Version

No response

Other information

No response
@jkahn117 jkahn117 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 7, 2025
@github-actions github-actions bot added the @aws-cdk/aws-msk Related to Amazon Managed Streaming for Apache Kafka (Amazon MSK) label Jan 7, 2025
@khushail khushail self-assigned this Jan 7, 2025
@khushail khushail added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jan 7, 2025
@khushail
Copy link
Contributor

khushail commented Jan 7, 2025

@jkahn117 , Thanks for reaching out. Looks like this article and relevant support was published in Sept 2021 while the code changes were implemented before that(June,2021). There has been no updates/changes after that.

aws-cdk/packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts

Line 503 in 6218f3a

throw Error('Only one client authentication method can be enabled.');

So marking it as P2, which means it won't be immediately addressed by the team but would be on their radar. Community contributions are also welcome.

Thanks.

@khushail khushail added the effort/small Small work item – less than a day of effort label Jan 7, 2025
@khushail khushail removed their assignment Jan 7, 2025
@mazyu36
Copy link
Contributor

mazyu36 commented Jan 8, 2025

PR has already submitted #31743.

@kaizencc kaizencc linked a pull request Jan 9, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-msk Related to Amazon Managed Streaming for Apache Kafka (Amazon MSK) bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(msk): allow both sasl/scram and iam auth msambol/aws-cdk
3 participants
@jkahn117 @mazyu36 @khushail