I have an aws lambda function(nodejs) right now that writes some data to a test kafka cluster. The one thats in production use's kerberos for auth so I was wondering if there was a way to setup my lambda function to authenticate with kerberos. I wasn't able to find much online regarding this...
-
1Did you find a solution to this? – scrayon May 17 '18 at 23:22
3 Answers
There are two ways to handle this.
Call out to CLI utilities
This requires that you supply the contents of the krb5-workstation
and its dependency, libkadm5
, in your deployment package or via a Layer.
- Launch an EC2 instance from the Lambda execution environment's AMI
- Update all packages:
sudo yum update
- Install the MIT Kerberos utilities:
sudo yum install krb5-workstation
- Make the Layer skeleton:
mkdir bin lib
- Populate the binaries:
rpm -ql krb5-workstation | grep bin | xargs -I %% cp -a %% bin
- Populate their libraries:
rpm -ql libkadm5 | xargs -I %% cp -a %% lib
- Prepare the Layer:
zip -r9 krb5-workstation-layer.zip bin lib
- Create the Layer and reference it from your Lambda function.
- Invoke (e.g.)
/opt/bin/kinit
from inside your function.
Do it natively
It turns out that if your code calls gss_acquire_cred
, which most code does, usually through bindings and an abstraction layer, you don't need the CLI utilities.
- Supply a client keytab file to your function, either by bundling it with the deployment package or (probably better) fetching it from S3 + KMS.
- Set the
KRB5_CLIENT_KTNAME
environment variable to the location of the keytab file.
Requested addendum
In either case, if you find you have a need to specify additional Kerberos configuration, see the krb5.conf
docs for details. If /etc
is off the table, then "Multiple colon-separated filenames may be specified in [the] KRB5_CONFIG [environment variable]; all files which are present will be read."

- 635
- 5
- 17
-
1This is very helpful (especially the KRB5_CLIENT_KTNAME envvar), but how to create the client keytab for the AWS Lambda environment? – ReWrite Nov 05 '20 at 17:29
-
I had to do the same thing and this response was helpful. I also referenced the code @ https://github.com/zyborg/Zyborg.AWS.Lambda.Kerberos as that looks like a working implementation. The other obstacles I hit were 1) I can't run kinit from /var/task.. I needed to copy it to /tmp and chmod it with execute permissions 2) I had to set the KRB5_CONFIG environment variable for my process as well as the process that calls kinit so that it knows where to read my kerberos settings from. – Hasani Blackwell Nov 08 '20 at 06:46
Surprisingly seems that this issue was not addressed by Amazon. I have scenario which is restricted to use Kerberos authentication to DB servers. Since there's no way to run kinit on Lambda instance when it starts it seems impossible. Looks like it can be achieved in Azure Functions.

- 416
- 3
- 13
What neirbowj said will get you most of the way (And I don't know if this is my particular use case but it got me over the finish line):
You'll need an env var like this : KRB5CCNAME=FILE:/tmp/tgt. See : https://blog.tomecek.net/post/kerberos-in-a-container/ for a better explanation than I have.

- 1