Configure AWS IAM OAuth for .NET Client
The Confluent.Kafka.OAuthBearer.Aws package adds AWS IAM-based authentication to Kafka clients through the OAUTHBEARER SASL mechanism. It mints short-lived JSON Web Tokens (JWT) using the AWS Security Token Service (STS) GetWebIdentityToken API and provides them to librdkafka as SASL bearer credentials.
Note
The Confluent.Kafka.OAuthBearer.Aws package is available in .NET Client version 2.15 or later.
Installation
Add the following package references:
<ItemGroup>
<PackageReference Include="Confluent.Kafka" Version="2.15.0" />
<PackageReference Include="Confluent.Kafka.OAuthBearer.Aws" Version="2.15.0" />
</ItemGroup>
Minimum configuration
Two required keys are region and audience in SaslOauthbearerConfig.
using Confluent.Kafka;
var cfg = new ConsumerConfig
{
BootstrapServers = "pkc-xxxx.aws.confluent.cloud:9092",
SecurityProtocol = SecurityProtocol.SaslSsl,
SaslMechanism = SaslMechanism.OAuthBearer,
GroupId = "my-group",
SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc,
SaslOauthbearerMetadataAuthenticationType = SaslOauthbearerMetadataAuthenticationType.AwsIam,
SaslOauthbearerConfig = "region=us-east-1,audience=https://confluent.cloud/oidc",
};
using var consumer = new ConsumerBuilder<string, string>(cfg).Build();
consumer.Subscribe("my-topic");
Full configuration example
var cfg = new ConsumerConfig
{
BootstrapServers = "pkc-xxxx.aws.confluent.cloud:9092",
SecurityProtocol = SecurityProtocol.SaslSsl,
SaslMechanism = SaslMechanism.OAuthBearer,
GroupId = "my-group",
SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc,
SaslOauthbearerMetadataAuthenticationType = SaslOauthbearerMetadataAuthenticationType.AwsIam,
SaslOauthbearerConfig =
"region=us-east-1," +
"audience=https://confluent.cloud/oidc," +
"duration_seconds=900," +
"signing_algorithm=ES384," +
"sts_endpoint=https://sts-fips.us-east-1.amazonaws.com," +
"aws_debug=console," +
"tag_team=platform," +
"tag_environment=prod",
SaslOauthbearerExtensions =
"logicalCluster=lkc-abc," +
"identityPoolId=pool-xyz",
};
Configuration keys
Required parameters
The following parameters are required:
Key | Description |
|---|---|
| AWS region for STS call, such as |
| OIDC audience expected by the broker. Must match the IAM role trust policy condition. |
Optional parameters
The following parameters are optional:
Key | Default | Description |
|---|---|---|
|
| Token lifetime: 60-3,600 seconds |
|
| JWT signing algorithm: |
| SDK default | Override STS endpoint for FIPS or VPC endpoints |
|
| AWS SDK diagnostic logging: |
| None | Custom tag claims in JWT, up to 50 per token. Repeatable. |
Algorithm choice
The default ES384 creates smaller tokens (approximately 96 bytes compared to RSA’s approximately 256 bytes) with equivalent security. Use RS256 only if your broker JWKS endpoint specifically requires RSA keys.
AWS SDK diagnostic logging
The aws_debug parameter routes AWS SDK internal diagnostics to different sinks:
none(default): No logging configuration changesconsole: Outputs toConsole.Outlog4net: Uses log4net appenderssystemdiagnostics: UsesSystem.Diagnostics.Tracelisteners
Important
AWSConfigs.LoggingConfig.LogTo is process-wide. Setting aws_debug affects all AWS SDK clients in the process.
SASL extensions
Configure RFC 7628 §3.1 SASL extensions through the SaslOauthbearerExtensions property:
SaslOauthbearerExtensions = "logicalCluster=lkc-abc,identityPoolId=pool-xyz",
For comma-separated values, escape internal commas: "identityPoolId=pool-1\,pool-2".
Configuration grammar
The configuration uses comma-separated key=value pairs with librdkafka escaping:
Pairs split on
,Key or value split on first
=\escapes next character\t,\n,\rmap to tab, newline, or carriage returnLeading and trailing ASCII whitespace trimmed
Prerequisites
The IAM role must meet the following criteria:
Be trusted to call
sts:GetWebIdentityTokenfor the requested audienceBelong to an AWS account with outbound web identity federation enabled
Failures surface through librdkafka’s OAUTHBEARER error event with the AWS exception message.
Critical requirements
You must set SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc. The AWS IAM autowire operates as a refresh callback inside librdkafka’s OIDC subsystem. Without this setting, configuration is rejected at Build() with InvalidOperationException.
Always include:
SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc,
SaslOauthbearerMetadataAuthenticationType = SaslOauthbearerMetadataAuthenticationType.AwsIam,
Versioning
This package versions in lockstep with Confluent.Kafka core. Always reference matching versions.
Dependencies
Requires AWSSDK.SecurityToken >= 3.7.504, pulled in transitively.
