Skip to content

Add support for AWS IAM Roles for Service Accounts (IRSA) #831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add support for AWS IAM Roles for Service Accounts (IRSA) #831

wants to merge 2 commits into from

Conversation

@rodrigo-molina
Copy link

@rodrigo-molina rodrigo-molina commented Mar 26, 2025
edited
Loading

Problem

AWS IAM roles for service accounts (IRSA) is a recommended approach for applications such as Kubernetes to authenticate with AWS services without managing static credentials.

From AWS's docs:

In 2014, AWS Identity and Access Management added support for federated identities using OpenID Connect (OIDC). This feature allows you to authenticate AWS API calls with supported identity providers and receive a valid OIDC JSON web token (JWT). You can pass this token to the AWS STS AssumeRoleWithWebIdentity API operation and receive IAM temporary role credentials. You can use these credentials to interact with any AWS service.

Solution

Introduce io.confluent.connect.s3.auth.AwsWebIdentityTokenCredentialsProvider which can be set using the s3.credentials.provider.class connector property.

This provider is a wrapper around AWS’s native WebIdentityTokenCredentialsProvider, similar to how AwsAssumeRoleCredentialsProvider is implemented. It enables configuring IRSA credentials directly via connector properties.

AwsWebIdentityTokenCredentialsProvider configuration properties:

  • irsa.role.arn: Role ARN to use when starting a session.
  • irsa.session.name: Role session name to use when starting a session.
  • irsa.token.file: Path to the web identity token file.
Does this solution apply anywhere else?
  • yes
  • no
If yes, where?

Any connector that supports instances of AWSCredentialsProvider and Configurable in its configurations.

Test Strategy

The Confluent S3 Sink connector allows custom AWS credential providers via configuration. We have tested this change by deploying a JAR containing the proposed class and using it within the connector's classpath (confluentinc-kafka-connect-avro-converter-7.8.0/lib).

Testing done:
  • Unit tests
  • Integration tests
  • System tests
  • Manual tests

Release Plan

This change has no external release dependencies.

@rodrigo-molina
Add support for AWS IAM Roles for Service Accounts (IRSA)
030ac82 
Introduce `io.confluent.connect.s3.auth.AwsWebIdentityTokenCredentialsProvider` which can be referenced in the connector property `s3.credentials.provider.class`.

`AwsWebIdentityTokenCredentialsProvider` configuration properties:
- `irsa.role.arn`: Role ARN to use when starting a session
- `irsa.session.name`: Role session name to use when starting a session
- `irsa.token.file`: Path to the web identity token file
@rodrigo-molina rodrigo-molina requested a review from a team as a code owner March 26, 2025 11:50
@confluent-cla-assistant
Copy link

confluent-cla-assistant bot commented Mar 26, 2025
edited
Loading

🎉 All Contributor License Agreements have been signed. Ready to merge.
✅ rodrigo-molina
Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.

@ashwinpankaj
Copy link
Member

ashwinpankaj commented Mar 27, 2025

Thanks @rodrigo-molina -

  1. Is this being added for CP or CCloud ? can you please share the INIT ?
  2. shouldn't this go in the common provider integration repo ? https://github.com/confluentinc/provider-integration/blob/master/src/main/java/io/confluent/provider/integration/aws/v2/ChainedAssumeRoleCredentialsProvider.java

CC: @tarunjain-confluent

@rodrigo-molina
Copy link
Author

rodrigo-molina commented Mar 27, 2025

hey @ashwinpankaj

Thanks for the quick response! 🙌

  1. Is this being added for CP or CCloud ? can you please share the INIT ?

The feature is intended for use in a Self-Hosted Kafka Connect deployment and could be valuable for anyone running Kafka Connect on EKS.

Could you please clarify what INIT refers to in this context?

  1. shouldn't this go in the common provider integration repo ? https://github.com/confluentinc/provider-integration/blob/master/src/main/java/io/confluent/provider/integration/aws/v2/ChainedAssumeRoleCredentialsProvider.java

I currently don’t have access to that repository. Let me know if there’s a way to proceed or if I should request access.

@der-eismann
Copy link

der-eismann commented Jul 4, 2025

We're looking forward to this feature here. How can this proceed @ashwinpankaj @tarunjain-confluent ?

@rodrigo-molina
Copy link
Author

rodrigo-molina commented Jul 4, 2025

Hey @der-eismann,
As a temporary solution, we're currently building a jar with the AwsWebIdentityTokenCredentialsProvider class and adding it to the S3 plugin dependencies.

When I submitted this pull request, I also wrote some documentation on the process here:
https://medium.com/@molina.rodrigo/how-to-use-iam-roles-for-service-accounts-irsa-in-confluent-aws-s3-sink-connector-563cefe79156

Hope it helps!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rodrigo-molina @ashwinpankaj @der-eismann