Configure AWS IAM OAuth for Python Client
AWS IAM-based authentication uses the OAUTHBEARER SASL mechanism and is available as an optional install extra. When running on AWS compute (EC2, EKS, ECS, Fargate, Lambda) with an IAM role, the client automatically mints and refreshes short-lived JSON Web Tokens (JWT) tokens through AWS Security Token Service (STS).
Note
The confluent-kafka[oauthbearer-aws] package is available in Python Client version 2.15 or later.
Installation
Install the AWS IAM authentication extra:
pip install 'confluent-kafka[oauthbearer-aws]==2.15.0'
This adds boto3 and related dependencies. Without the extra, no AWS dependencies are imported.
Minimal configuration
The following example shows the minimal configuration for a consumer:
from confluent_kafka import Consumer
consumer = Consumer({
'bootstrap.servers': 'pkc-xxxx.aws.confluent.cloud:9092',
'security.protocol': 'SASL_SSL',
'sasl.mechanisms': 'OAUTHBEARER',
'sasl.oauthbearer.method': 'oidc',
'sasl.oauthbearer.metadata.authentication.type': 'aws_iam',
'sasl.oauthbearer.config': 'region=us-east-1,audience=https://confluent.cloud/oidc',
'group.id': 'my-group',
'auto.offset.reset': 'earliest',
})
The same settings apply to Producer and AdminClient.
Complete configuration example
conf = {
'bootstrap.servers': 'pkc-xxxx.aws.confluent.cloud:9092',
'security.protocol': 'SASL_SSL',
'sasl.mechanisms': 'OAUTHBEARER',
'sasl.oauthbearer.method': 'oidc',
'sasl.oauthbearer.metadata.authentication.type': 'aws_iam',
'sasl.oauthbearer.config': (
'region=us-east-1,'
'audience=https://confluent.cloud/oidc,'
'duration_seconds=900,'
'signing_algorithm=ES384,'
'sts_endpoint=https://sts-fips.us-east-1.amazonaws.com,'
'aws_debug=console,'
'tag_team=platform,'
'tag_environment=prod'
),
'sasl.oauthbearer.extensions': (
'logicalCluster=lkc-abc,'
'identityPoolId=pool-xyz'
),
}
Configuration keys
Required parameters
The following parameters are required in sasl.oauthbearer.config:
Key | Description |
|---|---|
| AWS region for STS calls (for example, |
| OIDC audience matching broker or IAM role configuration |
Optional parameters
The following parameters are optional in sasl.oauthbearer.config:
Key | Default | Description |
|---|---|---|
|
| Token lifetime: 60-3,600 seconds. Auto-refreshes at approximately 80%. |
|
| JWT signature: |
| SDK default | Override STS endpoint. For example, FIPS or VPC. |
|
| SDK logging: |
| Custom claim, up to 50 total. For example, |
Configuration is a comma-separated string of key=value pairs. Whitespace around pairs is ignored, but do not add spaces around the equals sign (=). Values can contain equals signs. Escape commas with \,.
SASL extensions
Use the separate sasl.oauthbearer.extensions key:
'sasl.oauthbearer.extensions': 'logicalCluster=lkc-abc,identityPoolId=pool-xyz'
Do not place extensions in sasl.oauthbearer.config.
Prerequisites
The application runs with AWS credentials resolvable by boto3’s default chain.
The IAM role permits STS
GetWebIdentityTokenfor the requested audience.The audience matches the IAM role trust relationship and broker configuration.
Common issues
The following are common configuration issues:
Missing sasl.oauthbearer.method:
sasl.oauthbearer.method=oidcis mandatory. RaisesValueErrorif omitted.Missing SASL settings: Set both
security.protocol=SASL_SSLandsasl.mechanisms=OAUTHBEARER.Empty sasl.oauthbearer.config:
sasl.oauthbearer.configmust be non-empty and include the requiredregionandaudienceparameters.Missing extra: Raises
ImportErrorif the authentication type is set but the extra is not installed.Audience mismatch:
GetWebIdentityTokenis rejected at STS if the audience does not match.Missing boto3[crt]: Might be needed for
aws logincredential sessions.
