8

I have an aws lambda function(nodejs) right now that writes some data to a test kafka cluster. The one thats in production use's kerberos for auth so I was wondering if there was a way to setup my lambda function to authenticate with kerberos. I wasn't able to find much online regarding this...

lightweight
  • 3,227
  • 14
  • 79
  • 142

3 Answers3

4

There are two ways to handle this.

Call out to CLI utilities

This requires that you supply the contents of the krb5-workstation and its dependency, libkadm5, in your deployment package or via a Layer.

  1. Launch an EC2 instance from the Lambda execution environment's AMI
  2. Update all packages: sudo yum update
  3. Install the MIT Kerberos utilities: sudo yum install krb5-workstation
  4. Make the Layer skeleton: mkdir bin lib
  5. Populate the binaries: rpm -ql krb5-workstation | grep bin | xargs -I %% cp -a %% bin
  6. Populate their libraries: rpm -ql libkadm5 | xargs -I %% cp -a %% lib
  7. Prepare the Layer: zip -r9 krb5-workstation-layer.zip bin lib
  8. Create the Layer and reference it from your Lambda function.
  9. Invoke (e.g.) /opt/bin/kinit from inside your function.

Do it natively

It turns out that if your code calls gss_acquire_cred, which most code does, usually through bindings and an abstraction layer, you don't need the CLI utilities.

  1. Supply a client keytab file to your function, either by bundling it with the deployment package or (probably better) fetching it from S3 + KMS.
  2. Set the KRB5_CLIENT_KTNAME environment variable to the location of the keytab file.

Requested addendum

In either case, if you find you have a need to specify additional Kerberos configuration, see the krb5.conf docs for details. If /etc is off the table, then "Multiple colon-separated filenames may be specified in [the] KRB5_CONFIG [environment variable]; all files which are present will be read."

neirbowj
  • 635
  • 5
  • 17
  • 1
    This is very helpful (especially the KRB5_CLIENT_KTNAME envvar), but how to create the client keytab for the AWS Lambda environment? – ReWrite Nov 05 '20 at 17:29
  • I had to do the same thing and this response was helpful. I also referenced the code @ https://github.com/zyborg/Zyborg.AWS.Lambda.Kerberos as that looks like a working implementation. The other obstacles I hit were 1) I can't run kinit from /var/task.. I needed to copy it to /tmp and chmod it with execute permissions 2) I had to set the KRB5_CONFIG environment variable for my process as well as the process that calls kinit so that it knows where to read my kerberos settings from. – Hasani Blackwell Nov 08 '20 at 06:46
0

Surprisingly seems that this issue was not addressed by Amazon. I have scenario which is restricted to use Kerberos authentication to DB servers. Since there's no way to run kinit on Lambda instance when it starts it seems impossible. Looks like it can be achieved in Azure Functions.

Alex Michel
  • 416
  • 3
  • 13
0

What neirbowj said will get you most of the way (And I don't know if this is my particular use case but it got me over the finish line):

You'll need an env var like this : KRB5CCNAME=FILE:/tmp/tgt. See : https://blog.tomecek.net/post/kerberos-in-a-container/ for a better explanation than I have.