aws · sankalpbhatia · Aug 10, 2023 · Aug 8, 2023 · sankalpbhatia · Aug 10, 2023
@@ -263,6 +263,23 @@ $ cd signer
 $ go test
 ```
 
+## Troubleshooting
+### Finding out which identity is being used
+You may receive an `Access denied` error and there may be some doubt as to which credential is being exactly used. The credential may be sourced from a role ARN, EC2 instance profile, credential profile etc.
+You can set the field `AwsDebugCreds` set to true before getting the token:
+
+```go
+    signer.AwsDebugCreds = true
+```
+the client library will print a debug log of the form:
+```
+Credentials Identity: {UserId: ABCD:test124, Account: 1234567890, Arn: arn:aws:sts::1234567890:assumed-role/abc/test124}
+```
+
+The log line provides the IAM Account, IAM user id and the ARN of the IAM Principal corresponding to the credential being used.
+
+Please note that the log level should also be set to DEBUG for this information to be logged. It is not recommended to run with AwsDebugCreds=true since it makes an additional remote call.
+
 ## Getting Help
 
 Please use these community resources for getting help. We use the GitHub issues

@@ -6,6 +6,8 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
+
+	"log"
 	"net/http"
 	"net/url"
 	"runtime"
@@ -16,6 +18,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/signer/v4"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 )
 
@@ -32,6 +35,7 @@ const (
 
 var (
 	endpointURLTemplate = "kafka.%s.amazonaws.com" // endpointURLTemplate represents the template for the Kafka endpoint URL
+	AwsDebugCreds       = false                    // AwsDebugCreds flag indicates whether credentials should be debugged
 )
 
 // GenerateAuthToken generates base64 encoded signed url as auth token from default credentials.
@@ -162,6 +166,10 @@ func constructAuthToken(ctx context.Context, region string, credentials *aws.Cre
 		return "", 0, fmt.Errorf("aws credentials cannot be empty")
 	}
 
+	if AwsDebugCreds {
+		logCallerIdentity(ctx, region, *credentials)
+	}
+
 	req, err := buildRequest(DefaultExpirySeconds, endpointURL)
 	if err != nil {
 		return "", 0, fmt.Errorf("failed to build request for signing: %w", err)
@@ -269,3 +277,29 @@ func addUserAgent(signedURL string) (string, error) {
 
 	return parsedSignedURL.String(), nil
 }
+
+// Log caller identity to debug which credentials are being picked up
+func logCallerIdentity(ctx context.Context, region string, awsCredentials aws.Credentials) {
+	cfg, err := config.LoadDefaultConfig(ctx,
+		config.WithRegion(region),
+		config.WithCredentialsProvider(credentials.StaticCredentialsProvider{
+			Value: awsCredentials,
+		}),
+	)
+	if err != nil {
+		log.Printf("failed to load AWS configuration: %v", err)
+	}
+
+	stsClient := sts.NewFromConfig(cfg)
+
+	callerIdentity, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+
+	if err != nil {
+		log.Printf("failed to get caller identity: %v", err)
+	}
+
+	log.Printf("Credentials Identity: {UserId: %s, Account: %s, Arn: %s}\n",
+		*callerIdentity.UserId,
+		*callerIdentity.Account,
+		*callerIdentity.Arn)
+}