TL;DR: The thing that caught me off guard was how silent the failure was. My Lambda function was trying to connect to an MSK cluster, the connection timed out, and the only thing in CloudWatch was `org. 📖 Reading time: ~31 min What's in this article The Problem That Sent Me Down This Rabbit Hole How SASL-OAuthbearer Actually Works (Skip the RFC, Here's What Matters) Prerequisites and What You Need Before Writing a Single Line Setting Up the Lambda Function: Node.js (kafkajs) Path Setting Up the Lambda Function: Python (confluent-kafka) Path IAM Policy — Getting the Minimum Permissions Right Deploying and the Errors You Will Hit Making It Production-Ready The Problem That Sent Me Down This Rabbit Hole The thing that caught me off guard was how silent the failure was. My Lambda function was trying to connect to an MSK cluster, the connection timed out, and the only thing in CloudWatch was org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed . No principal name.…