Skip to content

fix: AWS MSK IAM Authentication Failures on Idle Connections and add TLS support #11211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 16 commits into from
+161 −233
Closed

fix: AWS MSK IAM Authentication Failures on Idle Connections and add TLS support #11211

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
6e1d53c
aws: optimize MSK IAM authentication and credential management
kalavt Nov 26, 2025
09aa64a
aws: optimize MSK IAM authentication and credential management
kalavt Nov 26, 2025
1f9b74a
aws: optimize MSK IAM authentication and credential management
kalavt Nov 26, 2025
ca35c22
fix: initialize AWS provider in sync mode for MSK IAM
kalavt Nov 26, 2025
4c19da4
fix(aws): force credential refresh in provider refresh functions
kalavt Nov 27, 2025
9aa3ebc
Merge branch 'fluent:master' into fix/aws-msk-iam-optimization
kalavt Nov 27, 2025
35bcf13
fix(aws): Minor leak on empty_payload_hex when canonical request buil…
kalavt Nov 27, 2025
d45dab6
aws: optimize MSK IAM authentication and credential management
kalavt Nov 27, 2025
8434f7d
fix(aws): AWS MSK IAM authentication failures caused by stale credent…
kalavt Nov 27, 2025
05ecb6d
aws: optimize MSK IAM authentication and credential management
kalavt Nov 27, 2025
862a4ec
fix(aws): AWS MSK IAM authentication failures on low traffic and Miss…
kalavt Nov 28, 2025
6dde002
fix(aws): Fix potential overflow in md_lifetime_ms on 32‑bit time_t
kalavt Nov 28, 2025
f343778
fix(aws): Fix AWS MSK IAM OAuth Token Expiration on Idle Connections …
kalavt Nov 28, 2025
b34bff6
fix(aws): Fix AWS MSK IAM OAuth Token Expiration on Idle Connections …
kalavt Nov 28, 2025
3bbbde2
fix(aws): Fix AWS MSK IAM OAuth Token Expiration on Idle Connections …
kalavt Nov 28, 2025
8892291
Merge branch 'fluent:master' into fix/aws-msk-iam-optimization
kalavt Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/aws/flb_aws_credentials_ec2.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,16 @@ int refresh_fn_ec2(struct flb_aws_provider *provider) {
int ret = -1;

flb_debug("[aws_credentials] Refresh called on the EC2 IMDS provider");

if (try_lock_provider(provider)) {
/* Force credential refresh by clearing cache and setting expired time */
if (implementation->creds) {
flb_aws_credentials_destroy(implementation->creds);
implementation->creds = NULL;
}
/* Set to 1 (epoch start) to trigger immediate refresh via time check */
implementation->next_refresh = 1;

ret = get_creds_ec2(implementation);
unlock_provider(provider);
}
Expand Down
8 changes: 8 additions & 0 deletions src/aws/flb_aws_credentials_http.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,14 @@ int refresh_fn_http(struct flb_aws_provider *provider) {
flb_debug("[aws_credentials] Refresh called on the http provider");

if (try_lock_provider(provider)) {
/* Force credential refresh by clearing cache and setting expired time */
if (implementation->creds) {
flb_aws_credentials_destroy(implementation->creds);
implementation->creds = NULL;
}
/* Set to 1 (epoch start) to trigger immediate refresh via time check */
implementation->next_refresh = 1;

ret = http_credentials_request(implementation);
unlock_provider(provider);
}
Expand Down
3 changes: 1 addition & 2 deletions src/aws/flb_aws_credentials_profile.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -663,8 +663,7 @@ static int get_shared_credentials(char* credentials_path,

if (flb_read_file(credentials_path, &buf, &size) < 0) {
if (errno == ENOENT) {
AWS_CREDS_ERROR_OR_DEBUG(debug_only, "Shared credentials file %s does not exist",
credentials_path);
AWS_CREDS_DEBUG("Shared credentials file %s does not exist", credentials_path);
} else {
flb_errno();
AWS_CREDS_ERROR_OR_DEBUG(debug_only, "Could not read shared credentials file %s",
Expand Down
19 changes: 18 additions & 1 deletion src/aws/flb_aws_credentials_sts.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,8 +175,16 @@ int refresh_fn_sts(struct flb_aws_provider *provider) {
struct flb_aws_provider_sts *implementation = provider->implementation;

flb_debug("[aws_credentials] Refresh called on the STS provider");

if (try_lock_provider(provider)) {
/* Force credential refresh by clearing cache and setting expired time */
if (implementation->creds) {
flb_aws_credentials_destroy(implementation->creds);
implementation->creds = NULL;
}
/* Set to 1 (epoch start) to trigger immediate refresh via time check */
implementation->next_refresh = 1;
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Refresh clears cached STS creds before new ones succeed

In refresh_fn_sts, the refresh path destroys implementation->creds and marks the cache expired before calling sts_assume_role_request(). With the MSK OAuth callback now invoking provider->refresh() on every token refresh, any transient STS failure leaves the provider with no credentials at all even if the previous ones were still valid, causing OAuth token generation to fail unnecessarily. Cached credentials should remain usable until a new set is successfully obtained.

Useful? React with 👍 / 👎.

Copy link
Author

@kalavt kalavt Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed by 05ecb6d


ret = sts_assume_role_request(implementation->sts_client,
&implementation->creds, implementation->uri,
&implementation->next_refresh);
Expand Down Expand Up @@ -480,7 +488,16 @@ int refresh_fn_eks(struct flb_aws_provider *provider) {
struct flb_aws_provider_eks *implementation = provider->implementation;

flb_debug("[aws_credentials] Refresh called on the EKS provider");

if (try_lock_provider(provider)) {
/* Force credential refresh by clearing cache and setting expired time */
if (implementation->creds) {
flb_aws_credentials_destroy(implementation->creds);
implementation->creds = NULL;
}
/* Set to 1 (epoch start) to trigger immediate refresh via time check */
implementation->next_refresh = 1;

ret = assume_with_web_identity(implementation);
unlock_provider(provider);
}
Expand Down
Loading