Confluent.Kafka.OAuthBearer.Aws 2.15.0

dotnet add package Confluent.Kafka.OAuthBearer.Aws --version 2.15.0
                    
NuGet\Install-Package Confluent.Kafka.OAuthBearer.Aws -Version 2.15.0
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Confluent.Kafka.OAuthBearer.Aws" Version="2.15.0" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Confluent.Kafka.OAuthBearer.Aws" Version="2.15.0" />
                    
Directory.Packages.props
<PackageReference Include="Confluent.Kafka.OAuthBearer.Aws" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Confluent.Kafka.OAuthBearer.Aws --version 2.15.0
                    
#r "nuget: Confluent.Kafka.OAuthBearer.Aws, 2.15.0"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Confluent.Kafka.OAuthBearer.Aws@2.15.0
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Confluent.Kafka.OAuthBearer.Aws&version=2.15.0
                    
Install as a Cake Addin
#tool nuget:?package=Confluent.Kafka.OAuthBearer.Aws&version=2.15.0
                    
Install as a Cake Tool

Confluent.Kafka.OAuthBearer.Aws

Optional package for Confluent.Kafka that adds AWS IAM-based authentication to Kafka clients via the OAUTHBEARER SASL mechanism. When enabled, the package mints short-lived JSON Web Tokens via AWS STS's GetWebIdentityToken API and hands them to librdkafka as the SASL bearer credential.

This package is opt-in and config-activated. Adding the <PackageReference> and setting two config keys is enough — no code changes at the integration site for the common case. Users who don't reference this package see zero AWS dependencies in their dependency graph.

Quick start

<ItemGroup>
  <PackageReference Include="Confluent.Kafka" Version="2.15.0" />
  <PackageReference Include="Confluent.Kafka.OAuthBearer.Aws" Version="2.15.0" />
</ItemGroup>

Minimum configuration

Two required keys in SaslOauthbearerConfig: region and audience. Defaults apply for everything else (300s lifetime, ES384 signing, no tags). SASL extensions, when needed, are set on the typed SaslOauthbearerExtensions property (see below).

using Confluent.Kafka;

var cfg = new ConsumerConfig
{
    BootstrapServers = "pkc-xxxx.aws.confluent.cloud:9092",
    SecurityProtocol = SecurityProtocol.SaslSsl,
    SaslMechanism    = SaslMechanism.OAuthBearer,
    GroupId          = "my-group",

    SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc,
    SaslOauthbearerMetadataAuthenticationType = SaslOauthbearerMetadataAuthenticationType.AwsIam,
    SaslOauthbearerConfig = "region=us-east-1,audience=https://confluent.cloud/oidc",
};

using var consumer = new ConsumerBuilder<string, string>(cfg).Build();
consumer.Subscribe("my-topic");

All options

Every supported key in SaslOauthbearerConfig. The grammar is comma-separated key=value pairs with librdkafka's \ escaping; see Configuration for each key's semantics.

using Confluent.Kafka;

var cfg = new ConsumerConfig
{
    BootstrapServers = "pkc-xxxx.aws.confluent.cloud:9092",
    SecurityProtocol = SecurityProtocol.SaslSsl,
    SaslMechanism    = SaslMechanism.OAuthBearer,
    GroupId          = "my-group",

    SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc,
    SaslOauthbearerMetadataAuthenticationType = SaslOauthbearerMetadataAuthenticationType.AwsIam,
    SaslOauthbearerConfig =
        "region=us-east-1," +
        "audience=https://confluent.cloud/oidc," +
        "duration_seconds=900," +
        "signing_algorithm=ES384," +
        "sts_endpoint=https://sts-fips.us-east-1.amazonaws.com," +
        "aws_debug=console," +
        "tag_team=platform," +
        "tag_environment=prod",
    SaslOauthbearerExtensions =
        "logicalCluster=lkc-abc," +
        "identityPoolId=pool-xyz",
};

using var consumer = new ConsumerBuilder<string, string>(cfg).Build();
consumer.Subscribe("my-topic");

Configuration

SaslOauthbearerConfig accepts a comma-separated list of key=value pairs, parsed with librdkafka's grammar (the same rules as sasl.oauthbearer.config for Azure IMDS): pairs split on ,, key/value on the first =. A \ escapes the next character, so a value can contain a literal comma by quoting it (\,); \t, \n, \r map to tab/newline/CR. Leading/trailing ASCII whitespace around each pair is trimmed.

Required

Key Description
region AWS region for the STS call (e.g. us-east-1, eu-north-1). Required — no IMDS sniffing or silent default.
audience OIDC audience the relying-party broker expects. Must match the IAM role's trust-policy condition.

Optional

Key Default Description
duration_seconds 300 Requested token lifetime, 60–3600 seconds.
signing_algorithm ES384 JWT signing algorithm. Either ES384 or RS256. AWS STS requires this field — we default for ergonomics. See Algorithm choice below.
sts_endpoint (SDK default) Override STS endpoint URL. Use for FIPS (sts-fips.us-east-1.amazonaws.com) or VPC endpoints.
aws_debug none Opt in to AWS SDK diagnostic logging. One of none, console, log4net, systemdiagnostics. See AWS SDK diagnostic logging below.
tag_<NAME> (none) Custom tag claims added to the minted JWT (max 50). Repeatable.

Algorithm choice

signing_algorithm controls the JWT's signature type at the AWS STS layer. We default to ES384 because elliptic-curve signatures produce smaller tokens (~96 bytes vs RSA's ~256 bytes) with equivalent security. Pick RS256 only if your broker's JWKS endpoint specifically requires RSA keys (rare in modern setups).

SigningAlgorithm is a required field on the underlying AWS STS API — omitting it from SaslOauthbearerConfig doesn't omit it from the wire, it just selects our default.

AWS SDK diagnostic logging

aws_debug routes the AWS SDK's internal diagnostic logs (credential-chain resolution, IMDS calls, STS request/response error paths, etc.) to a sink of your choice. Off by default.

Value Maps to Where logs go
none (default) LoggingOptions.None Library never mutates AWSConfigs.LoggingConfig.LogTo.
console LoggingOptions.Console Console.Out. Useful for container-runtime debugging (CloudWatch, docker logs).
log4net LoggingOptions.Log4Net log4net appenders configured by your app.
systemdiagnostics LoggingOptions.SystemDiagnostics System.Diagnostics.Trace listeners.

Values are case-insensitive. Unknown values fail at Build() time with an ArgumentException.

Side-effect note. AWSConfigs.LoggingConfig.LogTo is process-wide. Setting aws_debug to anything other than none affects the AWS SDK's logging for every client in the process, not only the STS client this library uses. The library only mutates the global when you explicitly opt in — if you don't set aws_debug (or set it to none), any value you may have configured elsewhere in your application is preserved.

// Quietest production setup — library does not touch AWS SDK logging.
"region=us-east-1,audience=https://confluent.cloud/oidc"

// Validation / debugging — verbose AWS SDK output to stdout.
"region=us-east-1,audience=https://confluent.cloud/oidc,aws_debug=console"

SASL extensions

RFC 7628 §3.1 SASL extensions are forwarded verbatim to the broker (separately from the JWT). Configure them through the typed SaslOauthbearerExtensions property — not inside SaslOauthbearerConfig — as a comma-separated list of key=value pairs:

SaslOauthbearerExtensions = "logicalCluster=lkc-abc,identityPoolId=pool-xyz",

SaslOauthbearerExtensions is parsed with the same grammar as SaslOauthbearerConfig. If a value is itself a comma-separated list (e.g. multiple identity pools), quote the internal commas with \ so they aren't read as pair separators: "identityPoolId=pool-1\,pool-2".

This matches the cross-language convention used by the Python, Go, and JavaScript bindings (e.g. for the existing AzureIMDS flow).

Prerequisites

The IAM role used by your application (instance profile, IRSA, or assumed role) must:

  1. Be trusted to call sts:GetWebIdentityToken for the requested audience.
  2. Belong to an AWS account where outbound web identity federation is enabled.

If either is missing, the first token refresh fails and the error surfaces via librdkafka's OAUTHBEARER error event with the original AWS exception message.

Common pitfalls

SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc is required

The AWS IAM autowire runs as a high-level-client refresh callback inside librdkafka's OIDC subsystem — parallel to how Azure IMDS works. Without method=oidc, the configuration is rejected at Build() with InvalidOperationException.

Always set:

SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc,
SaslOauthbearerMetadataAuthenticationType = SaslOauthbearerMetadataAuthenticationType.AwsIam,

If you forget method=oidc, the error message points at the missing setting.

Versioning

This package versions in lockstep with Confluent.Kafka core. Always reference matching versions.

AWS SDK requirement

Targets AWSSDK.SecurityToken >= 3.7.504. Pulled in transitively when you reference this package.

Further reading

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
.NET Core netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.1 is compatible. 
.NET Framework net462 is compatible.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
2.15.0 91 6/30/2026
2.15.0-RC2 71 6/30/2026