Proposal

MSK (Kafka Managed Services from AWS) supports IAM for authentication via SASL.

Use-Case

AWS announced the native support to MSK IAM (Kafka) using sarama client.

They have published a signer to process the token in a way that sarama client can use: https://github.com/aws/aws-msk-iam-sasl-signer-go.
Specifically using our own credentials provider:

func (t *MSKAccessTokenProvider) Token() (*sarama.AccessToken, error) {
        token, _, err := signer.GenerateAuthTokenFromCredentialsProvider(context.TODO(), "<region>", <MyCredentialsProvider>)
        return &sarama.AccessToken{Token: token}, err
}

This matches perfect with the new AWS authentication cache after the refactor: https://github.com/kedacore/keda/blob/main/pkg/scalers/aws/aws_common.go