Skip to content

Add support for AWS IAM login #22058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
piochelepiotr wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add support for AWS IAM login #22058

piochelepiotr wants to merge 4 commits into from

Conversation

@piochelepiotr
Copy link
Contributor

@piochelepiotr piochelepiotr commented Dec 5, 2025
edited
Loading

What does this PR do?

Adds support for AWS MSK IAM authentication to the Kafka Consumer integration using SASL/OAUTHBEARER mechanism.

Motivation

Customers using Amazon MSK clusters with IAM authentication were unable to monitor their Kafka infrastructure with the Datadog Agent. Previously, they had to use SASL/SCRAM or mTLS authentication, which requires manual credential management.

This change enables monitoring AWS MSK clusters using IAM roles, providing:

  • No credential management (uses AWS IAM roles automatically)
  • Fine-grained access control via IAM policies
  • Automatic token rotation

Configuration:
instances:

  • kafka_connect_str: "broker:9098"
    security_protocol: SASL_SSL
    sasl_mechanism: OAUTHBEARER
    sasl_oauth_token_provider:
    method: aws_msk_iamImplementation:
  • Uses aws-msk-iam-sasl-signer-python to generate AWS IAM tokens
  • OAuth callback provides tokens to confluent-kafka client
  • Fully backwards compatible with existing OIDC configurations
  • Tested end-to-end on real AWS MSK cluster

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@codecov
Copy link

codecov bot commented Dec 5, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 74.13793% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.02%. Comparing base (8c6c226) to head (d51d7a5).
⚠️ Report is 13 commits behind head on master.

Additional details and impacted files
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@piochelepiotr piochelepiotr marked this pull request as ready for review December 5, 2025 19:55
@piochelepiotr piochelepiotr requested review from a team as code owners December 5, 2025 19:55
chnn
chnn approved these changes Dec 8, 2025
View reviewed changes
kafka_consumer/datadog_checks/kafka_consumer/client.py
"""OAuth callback that generates AWS MSK IAM authentication tokens."""
try:
# Get AWS region from config or detect from environment
region = boto3.session.Session().region_name or 'us-east-1'
Copy link

@chnn chnn Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be validated in config.py somehow instead? Defaulting to us-east-1 seems like it could cause subtle failures that are a headache to debug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chnn chnn chnn approved these changes

@estherk15 estherk15 estherk15 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

agent/review-requested dependencies docs/approved documentation ecosystems/review-requested integration/kafka_consumer product/review-requested team/agent-integrations team/documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@piochelepiotr @chnn @estherk15