Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How do you setup cross-account IAM authentication in AWS MSK?

0

We have an AWS MSK Cluster setup with IAM Authentication in Account A. We are able to setup an IAM Role in Account A, and allow that role to be assumed by a user in Account B to allow a user cross-account access to the cluster. If we want to run something like AWS Glue for example in Account B that needs to run as an IAM Role in Account B, how can we setup cross-account access to the Cluster in Account A? For other services we would configure a service policy that allows the cross-account trust relationship. I do not see anything like this on the MSK Cluster resource. The only thing I can think of is to use SCRAM authentication with pre-shared user credentials in a secret. However, we really need to use IAM authentication for compliance.

Themen
Sicherheit, Identität & KonformitätAnalysen
Tags
AWS Identity and Access ManagementAmazon verwaltetes Streaming für Apache Kafka (Amazon MSK)
Sprache
English
dude0001
gefragt vor 2 Jahren3452 Aufrufe
1 Antwort
0
Akzeptierte Antwort

We ended up using the cross-account assume role. We setup a role in Account B that allowed the needed access to MSK and allow sts:AssumeRole from Account A. We then added a policy to the Glue execution role in Account A that allows assuming the role in Account B. In Glue, we then setup the https://github.com/aws/aws-msk-iam-auth handler to assume the role in Account B.

dude0001
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt