[jira] [Updated] (CASSANDRA-20416) AWS IAM-based client authenticator

Mon, 24 Mar 2025 03:37:35 -0700 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-20416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Semb Wever updated CASSANDRA-20416:
-------------------------------------------
    Reviewers: Michael Semb Wever

> AWS IAM-based client authenticator
> ----------------------------------
>
>                 Key: CASSANDRA-20416
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20416
>             Project: Apache Cassandra
>          Issue Type: New Feature
>          Components: Client/java-driver, Feature/Authorization
>            Reporter: Joel Shepherd
>            Priority: Normal
>         Attachments: STS-Based Authentication for Apache Cassandra.pdf
>
>
> Enable Cassandra clients to authenticate to nodes using AWS IAM credentials, 
> with minimal required AWS dependencies. Use of IAM credentials allows secure 
> and centralized management of those credentials, and also enables use of 
> secure credential distribution mechanisms like EC2 instance roles (for 
> clients running on EC2).
> I've drafted Java driver- and node-side plug-ins [1] [2] for early review. 
> This authenticator follows an approach initially developed by Heptio for 
> authenticating to Kubernetes clusters on AWS: 
> [https://github.com/kubernetes-sigs/aws-iam-authenticator] . The client uses 
> IAM credentials to create a pre-signed URL that invokes the GetCallerIdentity 
> API on the AWS Security Token Service (STS). The URL is passed to the node in 
> response to an authentication challenge. The node GETs the URL: if 
> successful, STS responds with the AWS account id, IAM principal name and IAM 
> principal ARN associated with the client's signing credentials. The principal 
> ARN is the client identity returned to Cassandra by the authenticator. The 
> attached PDF provides more detail on the approach.
> I'm seeking feedback on the proposal and approach, feedback on the code, and 
> suggestions for preparing it for release (if folks believe it will be useful).
> [1] Node authenticator plugin: 
> [https://github.com/jcshepherd/aws-sts-auth-cassandra-authenticator-plugin]
>  [2] Java driver plugin: 
> https://github.com/jcshepherd/aws-sts-auth-cassandra-java-driver-plugin



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to