The project is in a healthy, maintained state
MSK Library in Ruby for SASL/OAUTHBEARER Auth
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

 Project Readme

aws-msk-iam-sasl-signer

Gem Version Gem Downloads GitHub Workflow Status Code Climate maintainability

This is an Amazon MSK Library in Ruby. This library provides a function to generates a base 64 encoded signed url to enable authentication/authorization with an MSK Cluster. The signed url is generated by using your IAM credentials.

Features

  • Provides a function to generate auth token using IAM credentials from the AWS default credentials chain.
  • Provides a function to generate auth token using IAM credentials from the AWS named profile.
  • Provides a function to generate auth token using assumed IAM role’s credentials.

  • Quick start
  • Support
  • License
  • Code of conduct
  • Contribution guide

Get Started

Installation

To install aws-msk-iam-sasl-signer-ruby, run this command in your terminal. This is the preferred method to install aws-msk-iam-sasl-signer-ruby, as it will always install the most recent stable release.

gem install aws-msk-iam-sasl-signer

Examples

In order to use a named profile to generate the token, replace the generate_auth_token function with code below:

  signer = AwsMskIamSaslSigner::MSKTokenProvider.new(region: 'us-east-1')
  auth_token = signer.generate_auth_token_from_profile(
    aws_profile: 'my-profile'
  )

In order to use a role arn to generate the token, replace the generate_auth_token function with code below:

    signer = AwsMskIamSaslSigner::MSKTokenProvider.new(region: 'us-east-1')
    auth_token = signer.generate_auth_token_from_role_arn(
        role_arn: 'arn:aws:iam::1234567890:role/my-role'
    )

In order to use a custom credentials provider, replace the generate_auth_token function with code below :

    signer = AwsMskIamSaslSigner::MSKTokenProvider.new(region: 'us-east-1')
    auth_token = signer.generate_auth_token_from_credentials_provider(
      'your-credentials-provider'
    )

Running tests

You can run tests in the currently configured Ruby version using rake. By default, it will run all the unit tests.

bundle exec rake test

To fix lint issues, run rubocop.

bundle exec rubocop -x

Code Climate

This project uses code climate to maintain code quality. Code Climate will be run on every pull request and will fail if the code quality is not maintained. Code climate can be run locally using the command below.

bundle exec rake codeclimate

CLI

You can generate a signed url using the CLI.

bundle exec signer --help               
Commands:
  signer generate                                         # Generate a token using credential provider chain
  signer generate-from-profile --aws-profile=AWS_PROFILE  # Generate a token using aws profile
  signer generate-from-role-arn --role-arn=ROLE_ARN       # Generate a token using role arn
  signer help [COMMAND]                                   # Describe available commands or one specific command

TroubleShooting

Finding out which identity is being used

When using the token to authenticate against an MSK cluster, you may receive an Access denied error. There may be some doubt as to which credential is being exactly used. The credential may be sourced from a role ARN, EC2 instance profile, credential profile etc. When calling generate_auth_token, you can set aws_debug argument to true.

MSKAuthTokenProvider.generate_auth_token(aws_debug: true)

generate_auth_token will return a third value, the caller identity:

auth_token = MSKAuthTokenProvider.generate_auth_token(aws_debug: true)
puts "Caller identity: #{auth_token.caller_identity}"

Support

If you want to report a bug, or have ideas, feedback or questions about the gem, let me know via GitHub issues and I will do my best to provide a helpful answer. Happy hacking!

License

The gem is available as open source under the terms of the MIT License.

Code of conduct

Everyone interacting in this project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

Contribution guide

Pull requests are welcome!

Releasing

  • create PR with version change
  • bump version in lib/aws-msk-iam-sasl-signer/version.rb
  • approve and merge
git checkout main
git pull origin main
VERSION="v$(grep -o 'VERSION = "[^"]*' lib/aws-msk-iam-sasl-signer/version.rb | grep -o '[^"]*$')"
git tag -a ${VERSION} -m "${VERSION}"
git push origin ${VERSION}