feature: Add AWS MSK IAM Authentication Support for Kafka Engine

[kalavt]

Changelog category (leave one):

• New Feature

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

Add support for AWS MSK IAM authentication for Kafka.

Documentation entry for user-facing changes

• Documentation is written (mandatory for new features)

Description

This PR implements AWS MSK IAM authentication support for the Kafka Table Engine.
It allows ClickHouse to authenticate with Amazon Managed Streaming for Apache Kafka (MSK) using IAM roles.

Motivation:
Many users running ClickHouse on AWS want to connect to MSK using the standard IAM authentication method for better security and management, rather than managing SASL/SCRAM credentials or mTLS certificates.

Changes:

• Added AWSMSKIAMAuth class (src/Storages/Kafka/AWSMSKIAMAuth.cpp/h) to handle IAM authentication logic.
• Updated StorageKafka and KafkaConsumer to use the new authentication mechanism.
• Added configuration settings for AWS MSK IAM auth.
• Updated librdkafka-cmake to support the necessary build options.
• Updated documentation with usage examples.

[CLAassistant]

All committers have signed the CLA.

[kalavt]

For implement #80446

[kalavt]

@antaljanosbenjamin can you pls have a check on this PR, thanks.

[antaljanosbenjamin]

In general looks good. There are a few general comments:

1. Could you please also update the regarding docs?
2. Have you thought about using "assumed roles" similarly to the S3 table function? I think it is implemented for S3, it shouldn't be hard to enable it here too.
3. I have to talk with some security people, but we might need a setting to disable this globally if there is some issue regarding security. Please don't act on this yet, I will try to get a precise answer on that and understand it better.

[clickhouse-gh]

Workflow [PR], commit [3a8f50a]

Summary: ❌

job_name	test_name	status	info	comment
Style check		failure
	cpp	failure	cidb
Build (arm_tidy)		failure
	Build ClickHouse	failure	cidb
Docs check		dropped
Build (amd_debug)		dropped
Build (amd_asan)		dropped
Build (amd_tsan)		dropped
Build (amd_msan)		dropped
Build (amd_ubsan)		dropped
Build (amd_binary)		dropped
Build (arm_asan)		dropped

[antaljanosbenjamin]

The changes in c-ares are intentional?

[kalavt]

@antaljanosbenjamin for your comments:

The changes in c-ares are intentional?

Regarding the c-ares submodule changes visible in the PR:

I can confirm that I have not made any direct modifications to the contrib/c-ares submodule. The changes appearing in the PR diff are due to the submodule version difference between my feature branch and the current master branch.

Here's what happened:

• My feature branch was created from an earlier master commit
• After branch creation, master updated the c-ares submodule to a newer version
• The PR comparison now shows this submodule pointer difference as part of the overall diff

Could you please also update the regarding docs?

updated, or any other docs need update, pls let me know.

Have you thought about using "assumed roles" similarly to the S3 table function? I think it is implemented for S3, it shouldn't be hard to enable it here too.

Yes, but should be by another PR.

I have to talk with some security people, but we might need a setting to disable this globally if there is some issue regarding security. Please don't act on this yet, I will try to get a precise answer on that and understand it better.

sure. Thanks for checking,

[antaljanosbenjamin]

So for the submodules, please revert those changes locally. The issue is in my opinion is the submodules were updated on master, you didn't updated them locally but committed them. This means if we would merge your PR, it would revert the changes in submodules.

For the credentials, there are two things. First of all, please use our S3CredentialsProviderChain that can be found here:

ClickHouse/src/IO/S3/Credentials.h

Lines 211 to 218 in 7d0b74a

	class S3CredentialsProviderChain : public Aws::Auth::AWSCredentialsProviderChain
	{
	public:
	S3CredentialsProviderChain(
	const DB::S3::PocoHTTPClientConfiguration & configuration,
	const Aws::Auth::AWSCredentials & credentials,
	CredentialsConfiguration credentials_configuration);
	};

Second, when creating such provider chain, please make sure use_environment_credentials can be enabled only from server configuration and not by user queries. I think for now it is okay if it is just a boolean flag without any further details, so it is either enabled or disabled to all URL.

If you have any questions, please don't hesitate to ask.

[kalavt]

@antaljanosbenjamin for your comments, I've solved the submodules changes, using S3CredentialsProviderChain with use_environment_credentials for loading credentials.

thanks for your guidance and point out the security concern.

[antaljanosbenjamin]

A few small things.

[kalavt]

Hi @antaljanosbenjamin

I've completely re-design the feature and tested it works, would you please review my code and let me know if you have any concern. Thanks.

[kalavt]

@antaljanosbenjamin can you pls guide me for next step merge this PR?

[antaljanosbenjamin]

I will have a look at it next week on the first day I am working. Sorry for the delay, but I am on vacation.

[antaljanosbenjamin]

I have to verify this locally, so this is a note to myself.

[antaljanosbenjamin]

What happens if the region is different in the current config then it was when the cache was created?

I might miss something, but I don't understand why the storage cannot own the credentials provider. it is tight to a single storage, clear ownership and scope. Now we have a global object which is shared among multiple storages.

[kalavt]

Hi. @antaljanosbenjamin

sorry for the late replay, thought you still on vacation :)

You are absolutely right. The global cache was problematic because it didn't account for different regions across multiple storages and introduced unnecessary global state.

I have refactored the implementation to ensure proper scoping and ownership:

1. Removed Global Cache: g_provider_cache has been removed entirely.
2. Scoped Ownership: The S3CredentialsProviderChain is now stored inside OAuthBearerTokenRefreshContext.
3. Storage Ownership: StorageKafka (and StorageKafka2) now owns the OAuthBearerTokenRefreshContext (via a std::shared_ptr member). This ensures the credentials provider's lifecycle is tied directly to the storage instance and uses the correct configuration (region) for that specific table.
4. Safe Context Passing: I'm passing the context pointer via the configuration string to avoid conflicts with cppkafka's use of the opaque pointer, ensuring we can access this scoped context safely in the callback.

This design eliminates the risk of region mismatch and removes the global state as suggested.

[antaljanosbenjamin]

A few comments, please don't use force push.

[antaljanosbenjamin]

Is this necessary?

[kalavt]

The constructor cannot use = default because it must initialize the base class WriteBufferFromVectorImpl<std::string> with the value member inherited from StringHolder. A defaulted constructor cannot include member initializers, so the NOLINT suppression is required here.

[antaljanosbenjamin]

Correct me if I am wrong, but this should only happen on the first occasion, no?

So I would say a slightly better logic considering my other comment about not returning a non-const reference to internal members:

1. check if the storage has a context or not (returning a non const raw pointer is perfect for this use-case)
2. if not, then create one and use the setOAuthContext function to assign it to the storage
3. if there is already a context, then use that.

[kalavt]

You're correct. The OAuth context initialization is expensive and should be cached. I'll refactor this part.

[antaljanosbenjamin]

I think we don't need this callback. My reasoning is if the consumer is not polled, then we don't need to refresh the auth secrets.

[kalavt]

The background SASL callbacks are necessary for handling low-traffic topics where the consumer may be idle for extended periods. Without them, OAuth tokens can expire during idle periods, causing unrecoverable authentication failures when the consumer attempts to poll again. This was specifically implemented to ensure consumers remain operational even on low-volume topics where polls are infrequent.

[antaljanosbenjamin]

I am not sure about this. This feels a very hacky solution. I think the proper solution is to add this functionality to cppkafka first and then we can utilize it here. Passing opaque pointers is fine, passing pointers as strings is not in my opnion. Technically they are the same, but it seems like a code smell. Feel free open a PR to https://github.com/ClickHouse/cppkafka and tag me.

[kalavt]

yah that's a workaround temporary not the ideal solution, for now, should we keep the current implementation as a temporary workaround until the cppkafka enhancement is merged,
or would you prefer to block this PR until the proper solution is in place?

[kalavt]

well, I've proposed a PR to https://github.com/ClickHouse/cppkafka to support OAUTHBEARER token refresh callback.
ClickHouse/cppkafka#5
and I'll refactor the Clickhouse AWS MSK IAM auth implementation to new PR with newly added refresh callback function #96100

[antaljanosbenjamin]

And please, remove this log.

[antaljanosbenjamin]

These are also not needed.