Making AWS MSK public using NLB and IAM authentication - Hostname verification failed

Question

We are working on getting Amazon MSK (Kafka) working with IAM authentication & thereafter making it publicly accessible by DNS using changes in the aws kafka advertised listeners. To make this happen we are following the same infrastructure plan as below, but instead of using an Interface Endpoint, we are using a Network Loadbalancer: https://aws.amazon.com/blogs/big-data/how-goldman-sachs-builds-cross-account-connectivity-to-their-amazon-msk-clusters-with-aws-privatelink/

The interesting part is that the same infrastructure works perfectly using SASL/SCRAM authentication but not with IAM authentication. Do you have any info regarding issues about publicly accessible AWS MSK and IAM authentication?

Basically we are following the ideas in the guide, specifically Pattern 2: Front all MSK brokers with a single shared interface endpoint, but using IAM authentication instead Using your IAM Guide for AWS MSK we have successfully communicated with our brokers using the internal dns broker adress. When we later change the advertised listeners in accordance to the guide above we fail to communicate with the broker and are given the error message:

java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SaslAuthenticationException: [9d5b944c-df83-4573-9979-4d121f49a533]: Hostname verification failed
at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:104)
at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272)
at kafka.admin.ConfigCommand$.getResourceConfig(ConfigCommand.scala:552)
at kafka.admin.ConfigCommand$.$anonfun$describeResourceConfig$4(ConfigCommand.scala:512)
at kafka.admin.ConfigCommand$.$anonfun$describeResourceConfig$4$adapted(ConfigCommand.scala:504)
at scala.collection.immutable.List.foreach(List.scala:431)
at kafka.admin.ConfigCommand$.describeResourceConfig(ConfigCommand.scala:504)
at kafka.admin.ConfigCommand$.describeConfig(ConfigCommand.scala:484)
at kafka.admin.ConfigCommand$.processCommand(ConfigCommand.scala:304)
at kafka.admin.ConfigCommand$.main(ConfigCommand.scala:97)
at kafka.admin.ConfigCommand.main(ConfigCommand.scala)
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: [9d5b944c-df83-4573-9979-4d121f49a533]: Hostname verification failed

Answer 1

So it turns out this is not supported, here is the message from AWS Support:

Dear Customer,
 
Thank you for you patience while I investigate this issue.
 
After going through our internal resources, I would like to inform you that unfortunately IAM authentication against cluster using a custom domain name through intermediate NLB is not supported as of now. 
 
Also, I could confirm that there is an already existing feature request for this and it is indeed in the backlog of our MSK service team. As you may understand, any new functionality addition goes through regressive testing and analysis to determine feasibility and ensure the stability of the service. It is for this reason that we cannot provide a timeline on when this feature would be available. I sincerely apologise on behalf of AWS for the inconvenience caused. I appreciate your understanding and patience with us as we grow the service. 
 
In the meantime, I would suggest you to keep an eye on our What's New page[1] and AWS Blogs[2] for updates on the latest announcements.
 
In case you require any further assistance kindly feel free to reach out to me and I will be happy to assist you with the same.
 
Stay safe and Have a nice day!