kerberos authentication in lambda function

Question

I have an aws lambda function(nodejs) right now that writes some data to a test kafka cluster. The one thats in production use's kerberos for auth so I was wondering if there was a way to setup my lambda function to authenticate with kerberos. I wasn't able to find much online regarding this...

Answer 1

There are two ways to handle this.

Call out to CLI utilities

This requires that you supply the contents of the krb5-workstation and its dependency, libkadm5, in your deployment package or via a Layer.

1. Launch an EC2 instance from the Lambda execution environment's AMI
2. Update all packages: sudo yum update
3. Install the MIT Kerberos utilities: sudo yum install krb5-workstation
4. Make the Layer skeleton: mkdir bin lib
5. Populate the binaries: rpm -ql krb5-workstation | grep bin | xargs -I %% cp -a %% bin
6. Populate their libraries: rpm -ql libkadm5 | xargs -I %% cp -a %% lib
7. Prepare the Layer: zip -r9 krb5-workstation-layer.zip bin lib
8. Create the Layer and reference it from your Lambda function.
9. Invoke (e.g.) /opt/bin/kinit from inside your function.

Do it natively

It turns out that if your code calls gss_acquire_cred, which most code does, usually through bindings and an abstraction layer, you don't need the CLI utilities.

1. Supply a client keytab file to your function, either by bundling it with the deployment package or (probably better) fetching it from S3 + KMS.
2. Set the KRB5_CLIENT_KTNAME environment variable to the location of the keytab file.

Requested addendum

In either case, if you find you have a need to specify additional Kerberos configuration, see the krb5.conf docs for details. If /etc is off the table, then "Multiple colon-separated filenames may be specified in [the] KRB5_CONFIG [environment variable]; all files which are present will be read."