[exporter/kafkaexporter] Skip Username and Password config validation for IAM (#37417)

xavirg · MovieStoreGuy · atoulme · web-flow · commit e979e4157cad · 2025-03-05T10:08:53.000-08:00
#### Description In `kafka.SASLConfig`, Username and Password fields [are always required](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/exporter/kafkaexporter/config.go#L138-L144): ``` func validateSASLConfig(c *kafka.SASLConfig) error { if c == nil { return nil } if c.Username == "" { return fmt.Errorf("auth.sasl.username is required") } if c.Password == "" { return fmt.Errorf("auth.sasl.password is required") } ``` However, when the authentication mechanism is set to either `AWS_MSK_IAM` or `AWS_MSK_IAM_OAUTHBEARER`, those properties are never used: ``` exporters: kafka/example: auth: sasl: username: "foo" # Not used password: "bar" # Not used mechanism: "AWS_MSK_IAM_OAUTHBEARER" aws_msk: region: us-east-1 ``` Implemented logic to bypass User and Password validation when the mechanism is set to AWS IAM. #### Testing Added a test to make sure kafka.SASLConfig.Username and kafka.SASLConfig.Password are not required --------- Co-authored-by: Sean Marciniak <30928402+MovieStoreGuy@users.noreply.github.com> Co-authored-by: Antoine Toulme <antoine@toulme.name> Co-authored-by: Antoine Toulme <atoulme@splunk.com>
diff --git a/.chloggen/main.yaml b/.chloggen/main.yaml
@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: exporter/kafka
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: do not ask for user and password if auth mechanism is set to AWS IAM
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [37417]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []
diff --git a/exporter/kafkaexporter/config.go b/exporter/kafkaexporter/config.go
@@ -135,12 +135,13 @@ func validateSASLConfig(c *kafka.SASLConfig) error {
 		return nil
 	}
 
-	if c.Username == "" {
-		return fmt.Errorf("auth.sasl.username is required")
-	}
-
-	if c.Password == "" {
-		return fmt.Errorf("auth.sasl.password is required")
+	if c.Mechanism != "AWS_MSK_IAM" && c.Mechanism != "AWS_MSK_IAM_OAUTHBEARER" {
+		if c.Username == "" {
+			return fmt.Errorf("auth.sasl.username is required")
+		}
+		if c.Password == "" {
+			return fmt.Errorf("auth.sasl.password is required")
+		}
 	}
 
 	switch c.Mechanism {
diff --git a/exporter/kafkaexporter/config_test.go b/exporter/kafkaexporter/config_test.go
@@ -295,6 +295,22 @@ func TestValidate_sasl_version(t *testing.T) {
 	assert.EqualError(t, err, "auth.sasl.version has to be either 0 or 1. configured value 42")
 }
 
+func TestValidate_sasl_iam(t *testing.T) {
+	config := &Config{
+		Producer: Producer{
+			Compression: "none",
+		},
+		Authentication: kafka.Authentication{
+			SASL: &kafka.SASLConfig{
+				Mechanism: "AWS_MSK_IAM",
+			},
+		},
+	}
+
+	err := config.Validate()
+	assert.NoError(t, err)
+}
+
 func Test_saramaProducerCompressionCodec(t *testing.T) {
 	tests := map[string]struct {
 		compression         string
