Skip to content

Commit 5f5a1d6

Browse files
aws: msk_iam: pass TLS context to credential provider chain
The MSK IAM OAUTHBEARER callback created its AWS credential provider chain with a NULL TLS context: flb_standard_chain_provider_create(config->flb_config, NULL, ...) The provider chain reaches AWS endpoints over HTTPS - in particular the STS AssumeRoleWithWebIdentity call used by IRSA (IAM Roles for Service Accounts) on EKS. With no TLS context that call cannot connect, and the chain silently falls back to the EC2 instance metadata service, picking up the node role instead of the pod's IRSA role. The MSK token is then signed with the wrong principal and the broker rejects it with "SASL authentication error: Access denied", making IRSA unusable with native aws_msk_iam. Create a dedicated TLS instance (verifying peers against the system trust store, as the other AWS plugins do) for each credential provider and tear it down together with the provider. A separate instance is used at each provider-creation site since TLS instances cannot be shared between providers. Fixes #11255 Signed-off-by: James Carpenter <james@james-carpenter.net>
1 parent 2da48de commit 5f5a1d6

1 file changed

Lines changed: 43 additions & 9 deletions

File tree

src/aws/flb_aws_msk_iam.c

Lines changed: 43 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
#include <fluent-bit/aws/flb_aws_msk_iam.h>
3131

3232
#include <fluent-bit/flb_signv4.h>
33+
#include <fluent-bit/tls/flb_tls.h>
3334
#include <rdkafka.h>
3435

3536
#include <stdio.h>
@@ -167,6 +168,7 @@ static flb_sds_t build_msk_iam_payload(struct flb_aws_msk_iam *config,
167168
const char *host)
168169
{
169170
struct flb_aws_provider *temp_provider = NULL;
171+
struct flb_tls *cred_tls = NULL;
170172
struct flb_aws_credentials *creds = NULL;
171173
flb_sds_t payload = NULL;
172174
int encode_result;
@@ -217,14 +219,30 @@ static flb_sds_t build_msk_iam_payload(struct flb_aws_msk_iam *config,
217219
flb_info("[aws_msk_iam] build_msk_iam_payload: generating payload for host: %s, region: %s",
218220
host, config->region);
219221

222+
/*
223+
* The credential provider chain reaches AWS endpoints over HTTPS (STS for
224+
* IRSA/AssumeRoleWithWebIdentity, the EC2/ECS metadata services, ...), so it
225+
* requires its own TLS context. Passing NULL here makes the STS call fail on
226+
* EKS and silently fall back to the node instance role, signing the MSK token
227+
* with the wrong principal (see fluent/fluent-bit#11255).
228+
*/
229+
cred_tls = flb_tls_create(FLB_TLS_CLIENT_MODE,
230+
FLB_TRUE, /* verify peer */
231+
FLB_FALSE, /* debug */
232+
NULL, NULL, NULL, NULL, NULL, NULL);
233+
if (!cred_tls) {
234+
flb_error("[aws_msk_iam] build_msk_iam_payload: failed to create TLS context for credentials");
235+
return NULL;
236+
}
237+
220238
/* Create AWS provider on-demand */
221-
temp_provider = flb_standard_chain_provider_create(config->flb_config, NULL,
239+
temp_provider = flb_standard_chain_provider_create(config->flb_config, cred_tls,
222240
config->region, NULL, NULL,
223241
flb_aws_client_generator(),
224242
NULL);
225243
if (!temp_provider) {
226244
flb_error("[aws_msk_iam] build_msk_iam_payload: failed to create AWS credentials provider");
227-
return NULL;
245+
goto error;
228246
}
229247

230248
if (temp_provider->provider_vtable->init(temp_provider) != 0) {
@@ -553,6 +571,9 @@ static flb_sds_t build_msk_iam_payload(struct flb_aws_msk_iam *config,
553571
if (temp_provider) {
554572
flb_aws_provider_destroy(temp_provider);
555573
}
574+
if (cred_tls) {
575+
flb_tls_destroy(cred_tls);
576+
}
556577

557578
return payload;
558579

@@ -600,6 +621,9 @@ static flb_sds_t build_msk_iam_payload(struct flb_aws_msk_iam *config,
600621
if (temp_provider) {
601622
flb_aws_provider_destroy(temp_provider);
602623
}
624+
if (cred_tls) {
625+
flb_tls_destroy(cred_tls);
626+
}
603627

604628
return NULL;
605629
}
@@ -623,6 +647,7 @@ static void oauthbearer_token_refresh_cb(rd_kafka_t *rk,
623647
struct flb_aws_credentials *creds = NULL;
624648
struct flb_kafka_opaque *kafka_opaque;
625649
struct flb_aws_provider *temp_provider = NULL;
650+
struct flb_tls *cred_tls = NULL;
626651
(void) oauthbearer_config;
627652

628653
kafka_opaque = (struct flb_kafka_opaque *) opaque;
@@ -673,13 +698,19 @@ static void oauthbearer_token_refresh_cb(rd_kafka_t *rk,
673698
}
674699

675700
/* Get credentials for principal (create temporary provider just for this) */
676-
temp_provider = flb_standard_chain_provider_create(config->flb_config, NULL,
677-
config->region, NULL, NULL,
678-
flb_aws_client_generator(),
679-
NULL);
680-
if (temp_provider) {
681-
if (temp_provider->provider_vtable->init(temp_provider) == 0) {
682-
creds = temp_provider->provider_vtable->get_credentials(temp_provider);
701+
cred_tls = flb_tls_create(FLB_TLS_CLIENT_MODE,
702+
FLB_TRUE, /* verify peer */
703+
FLB_FALSE, /* debug */
704+
NULL, NULL, NULL, NULL, NULL, NULL);
705+
if (cred_tls) {
706+
temp_provider = flb_standard_chain_provider_create(config->flb_config, cred_tls,
707+
config->region, NULL, NULL,
708+
flb_aws_client_generator(),
709+
NULL);
710+
if (temp_provider) {
711+
if (temp_provider->provider_vtable->init(temp_provider) == 0) {
712+
creds = temp_provider->provider_vtable->get_credentials(temp_provider);
713+
}
683714
}
684715
}
685716

@@ -710,6 +741,9 @@ static void oauthbearer_token_refresh_cb(rd_kafka_t *rk,
710741
if (temp_provider) {
711742
flb_aws_provider_destroy(temp_provider);
712743
}
744+
if (cred_tls) {
745+
flb_tls_destroy(cred_tls);
746+
}
713747

714748
if (payload) {
715749
flb_sds_destroy(payload);

0 commit comments

Comments
 (0)