docs: update Kafka MSK IAM authentication configuration

[kalavt]

• Replace deprecated aws_msk_iam and aws_msk_iam_cluster_arn parameters
• Add new rdkafka.sasl.mechanism=aws_msk_iam configuration method
• Add aws_region parameter for custom DNS/PrivateLink scenarios
• Update IAM permission examples for consumers and producers
• Add MSK Serverless example in input plugin
• Simplify documentation for user-friendly experience

Summary by CodeRabbit

• Documentation
  • Rewrote and expanded AWS MSK IAM authentication guidance for Kafka, correcting plugin context to output and adopting a configuration-first flow.
  • Renamed/prioritized prerequisites, simplified configuration examples, and introduced explicit parameters (mechanism, region) with auto-detection notes.
  • Added PrivateLink/custom DNS guidance and tabbed YAML/conf examples.
  • Replaced broad IAM examples with scoped policies using REGION/ACCOUNT/CLUSTER/UUID placeholders and clarified credential discovery.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Input and output Kafka docs were reorganized and expanded for AWS MSK IAM authentication: prerequisites and configuration parameters were clarified, examples updated (including PrivateLink/custom DNS), region auto-detection noted, and a focused IAM policy with explicit ARNs and placeholders was added.

Changes

Cohort / File(s)

Summary

AWS MSK IAM Documentation (inputs & outputs) pipeline/inputs/kafka.md, pipeline/outputs/kafka.md

Rewrote AWS MSK IAM sections: renamed "Build requirements" → "Prerequisites"; introduced configuration parameters (rdkafka.sasl.mechanism, aws_region); added basic and PrivateLink/custom DNS examples in YAML/Conf; clarified region auto-detection and security.protocol behavior; replaced broad IAM guidance with an AWS credentials section and a scoped IAM policy JSON using placeholders (REGION, ACCOUNT, CLUSTER_NAME, CLUSTER_UUID); adjusted sample broker/topic examples and formatting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify IAM policy JSON, ARN formats, and placeholder instructions
• Check YAML and .conf examples for syntax and consistency
• Confirm messaging about region auto-detection and rdkafka.security.protocol is accurate and consistent across both files

Poem

🐰 I nudged the docs with careful paws,

Swapped vague lines for tidy laws,
ARNs and regions tucked in place,
Brokers, topics — all emplaced,
A carrot cheer for Kafka's pace 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating Kafka MSK IAM authentication configuration documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

pipeline/outputs/kafka.md (4)

5-5: Fix plugin reference: output doc incorrectly says “Kafka input plugin”.
Line 5 should refer to the Kafka output plugin (producer), not the input plugin.

-In Fluent Bit 4.0.4 and later, the Kafka input plugin supports authentication with AWS MSK IAM, enabling integration with Amazon MSK (Managed Streaming for Apache Kafka) clusters that require IAM-based access.
+In Fluent Bit 4.0.4 and later, the Kafka output plugin supports authentication with AWS MSK IAM, enabling integration with Amazon MSK (Managed Streaming for Apache Kafka) clusters that require IAM-based access.

---

27-27: Typo: librdfkafka → librdkafka.
Line 27 has a misspelling that may confuse readers searching for the right library knobs.

-Setting `rdkafka.log.connection.close` to `false` and `rdkafka.request.required.acks` to `1` are examples of recommended settings of `librdfkafka` properties.
+Setting `rdkafka.log.connection.close` to `false` and `rdkafka.request.required.acks` to `1` are examples of recommended settings of `librdkafka` properties.

---

48-58: Example config uses host (and a malformed IP) instead of brokers.
Line 56 has 192.1681.3:9092 (missing dot) and the key should match the documented parameter brokers.

   outputs:
     - name: kafka
       match: '*'
-      host: 192.1681.3:9092
+      brokers: 192.168.1.3:9092
       topics: test

---

191-191: Minor formatting: add space in “raw format”.

-#### Kafka configuration file with `raw`format
+#### Kafka configuration file with `raw` format

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3fea32e and 137bda0.

📒 Files selected for processing (2)

• pipeline/inputs/kafka.md (1 hunks)
• pipeline/outputs/kafka.md (1 hunks)

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pipeline/outputs/kafka.md (1)

5-6: Doc bug: “Kafka input plugin” should be “Kafka Producer output plugin” here.
This is in the producer/output page and is likely a copy/paste slip.

🧹 Nitpick comments (1)

pipeline/inputs/kafka.md (1)

149-165: Config parameters table/examples: consider explicitly stating whether aws_msk_iam_cluster_arn is no longer needed (and why).
Right now the table + examples imply rdkafka.sasl.mechanism=aws_msk_iam is sufficient, but users familiar with older docs will look for the removed ARN parameter and may be unsure what changed.

Also applies to: 173-183

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 137bda0 and 4db76b7.

📒 Files selected for processing (2)

• pipeline/inputs/kafka.md (1 hunks)
• pipeline/outputs/kafka.md (1 hunks)

🔇 Additional comments (2)

pipeline/inputs/kafka.md (1)

195-225: IAM permissions + ARN formats look solid and much safer (scoped resources + CLUSTER_UUID note).
The consumer actions list (DescribeGroup/AlterGroup) and the CLUSTER_UUID guidance are the right level of specificity.

pipeline/outputs/kafka.md (1)

347-374: Producer IAM policy example is clear and appropriately scoped.
Nice improvement over overly-broad Resource: "*" style examples.

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9101aab and a767991.

📒 Files selected for processing (2)

• pipeline/inputs/kafka.md (1 hunks)
• pipeline/outputs/kafka.md (2 hunks)

🔇 Additional comments (2)

pipeline/inputs/kafka.md (1)

199-227: Approved: IAM permissions policy is now correct.

The policy correctly includes the cluster UUID in ARN paths and specifies all required actions for a consumer (Connect, DescribeTopic, ReadData, DescribeGroup, AlterGroup). The guidance to substitute REGION, ACCOUNT, CLUSTER_NAME, and CLUSTER_UUID is clear.

pipeline/outputs/kafka.md (1)

351-376: Approved: Producer IAM permissions policy is correct.

The policy correctly specifies producer-only actions (Connect, DescribeTopic, WriteData) with cluster and topic ARNs that include the CLUSTER_UUID segment. The guidance to substitute placeholders is clear.

[eschabell]

@alexakreizinger review request for you!

[alexakreizinger]

I want to give this my full attention, but I have to finish early for the day for an appointment so I'm setting a reminder to review it on Monday 😄

[alexakreizinger]

@kalavt thanks for opening a PR, and apologies for the delayed review—I'm making some suggestions in line with our style guide, and feel free to merge if everything looks good to you :)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pipeline/inputs/kafka.md (1)

145-147: Reword repetitive sentence structure in Prerequisites section.

The three consecutive sentences beginning with "You must" can be combined or restructured for better readability. Consider:

- To use AWS MSK IAM authentication, you must meet these requirements:
-
- - You must have access to an AWS MSK cluster with IAM authentication enabled.
- - You must have valid AWS credentials (IAM role, access keys, or instance profile).
- - You must have network connectivity to your MSK brokers.
+ To use AWS MSK IAM authentication, you must:
+
+ - Have access to an AWS MSK cluster with IAM authentication enabled.
+ - Provide valid AWS credentials (IAM role, access keys, or instance profile).
+ - Have network connectivity to your MSK brokers.

pipeline/outputs/kafka.md (1)

244-248: Reword repetitive sentence structure in Prerequisites section.

Same issue as the input plugin documentation: three consecutive sentences beginning with "You must" reduce readability. Apply the same refactoring:

- To use AWS MSK IAM authentication, you must meet these requirements:
-
- - You must have access to an AWS MSK cluster with IAM authentication enabled.
- - You must have valid AWS credentials (IAM role, access keys, or instance profile).
- - You must have network connectivity to your MSK brokers.
+ To use AWS MSK IAM authentication, you must:
+
+ - Have access to an AWS MSK cluster with IAM authentication enabled.
+ - Provide valid AWS credentials (IAM role, access keys, or instance profile).
+ - Have network connectivity to your MSK brokers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a767991 and 21db1cd.

📒 Files selected for processing (2)

• pipeline/inputs/kafka.md (1 hunks)
• pipeline/outputs/kafka.md (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: kalavt
Repo: fluent/fluent-bit-docs PR: 2294
File: pipeline/inputs/kafka.md:147-168
Timestamp: 2025-12-12T14:30:10.698Z
Learning: In Fluent Bit v4.0.4+, when using AWS MSK IAM authentication (rdkafka.sasl.mechanism: aws_msk_iam), the rdkafka.security.protocol is automatically set to SASL_SSL and the AWS region is auto-detected from the broker hostname for standard MSK endpoints. The aws_msk_iam_cluster_arn parameter was removed - users only need to set rdkafka.sasl.mechanism: aws_msk_iam (and optionally aws_region for custom DNS/PrivateLink).

📚 Learning: 2025-12-12T14:30:10.698Z

Learnt from: kalavt
Repo: fluent/fluent-bit-docs PR: 2294
File: pipeline/inputs/kafka.md:147-168
Timestamp: 2025-12-12T14:30:10.698Z
Learning: In Fluent Bit v4.0.4+, when using AWS MSK IAM authentication (rdkafka.sasl.mechanism: aws_msk_iam), the rdkafka.security.protocol is automatically set to SASL_SSL and the AWS region is auto-detected from the broker hostname for standard MSK endpoints. The aws_msk_iam_cluster_arn parameter was removed - users only need to set rdkafka.sasl.mechanism: aws_msk_iam (and optionally aws_region for custom DNS/PrivateLink).

Applied to files:

• pipeline/inputs/kafka.md
• pipeline/outputs/kafka.md

🪛 LanguageTool

pipeline/inputs/kafka.md

[style] ~147-~147: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...e, access keys, or instance profile). - You must have network connectivity to your ...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

pipeline/outputs/kafka.md

[style] ~248-~248: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...e, access keys, or instance profile). - You must have network connectivity to your ...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🔇 Additional comments (8)

pipeline/inputs/kafka.md (4)

149-154: Configuration parameters accurately document simplified MSK IAM setup.

The table correctly reflects the streamlined approach: rdkafka.sasl.mechanism and optional aws_region are the only MSK IAM-specific parameters needed. The auto-detection behavior for standard endpoints is clearly documented.

---

156-175: Basic configuration example is correct and well-documented.

The minimal example correctly shows only rdkafka.sasl.mechanism: aws_msk_iam, with clear notes about region auto-detection and automatic security protocol configuration. The documentation accurately reflects the simplified setup.

---

177-189: Custom DNS/PrivateLink example correctly documents aws_region parameter usage.

The example appropriately shows when to set aws_region for non-standard broker hostnames. Configuration remains minimal and the guidance is clear.

---

191-240: AWS credentials chain and IAM policy are comprehensive and accurate.

The credentials chain follows AWS best practices, and the IAM policy correctly specifies actions (Connect, DescribeTopic, ReadData, DescribeGroup, AlterGroup) with properly formatted ARNs including the CLUSTER_UUID. The clarification about locating the cluster UUID is helpful.

pipeline/outputs/kafka.md (4)

250-255: Configuration parameters table is consistent with input plugin and accurate.

The same streamlined parameters are documented for the output plugin, maintaining consistency across both plugins.

---

257-301: Basic configuration examples for output plugin are correct and well-documented.

The YAML and .conf examples correctly show minimal MSK IAM setup for producers, with accurate documentation of auto-detection and auto-configuration behaviors. Consistent with the input plugin documentation.

---

303-341: Custom DNS/PrivateLink examples for output plugin are accurate and complete.

Both YAML and .conf formats correctly demonstrate aws_region usage for non-standard hostnames. Documentation aligns with the input plugin guidance.

---

353-389: Producer IAM policy is correctly scoped with appropriate actions and ARN format.

The policy appropriately specifies producer-specific permissions (Connect, DescribeTopic, WriteData) with correctly formatted ARNs. CLUSTER_UUID requirement and guidance are clearly documented, matching the input plugin documentation standards.

[kalavt]

Hi @alexakreizinger appreciate your efforts on review and update the docs

I would say let's hold it bit to wait for version v4.2.1 release to avoid confusion users

[eschabell]

@kalavt looks like this is still waiting on the code pr to merge: fluent/fluent-bit#11270, so marking as such here.