Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Is it possible to run MSK connect with cross-account MSK Serverless cluster?

1

Hi team,

My user case: I have a centralized MSK Serverless cluster in one AWS account (Kafka Account). Other teams will be accessing this cluster from their own AWS accounts using Private Link and cross-account IAM Role configured in Kafka Account. They also need to run MSK Connect in their accounts and connect to MSK Serverless in Kafka Account.

Question: Is there a way to tell MSK Connect to assume role in a different account?

Currently I can't seem to find a way to do it. When I create MSK connector and supply cross-account IAM role I'm getting an error that it is not allowed. Also resource based policy seems to be available for MSK Provisioned but not for MSK Serverless. Per https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-workers.html MSK Connect worker config doesn't accept "sasl.*" properties so I can't specify cross-account role in configuration properties.

Any help would really be appreciated!

Themen
Analysen
Tags
Amazon verwaltetes Streaming für Apache Kafka (Amazon MSK)
Sprache
English
Pavel Mikhalchuk
gefragt vor 9 Monaten435 Aufrufe
4 Antworten
1

Thanks a lot Mahesh!

If it's possible to share approx. ETA of resource based policy availability for MSK Serverless that would be super helpful. I see there is a cluster Policy in AWS console for MSK Serverless cluster that allow some sharing with other accounts but I can't add "kafka-cluster:*" actions to it.

Pavel Mikhalchuk
beantwortet vor 7 Monaten
0

Hello there,

As MSK Serverless only supports IAM Authentication, and it doesn’t have any resource based policy yet, unfortunately, it is not possible to access MSK Serverless cluster from cross account MSK Connect at the moment.

AWS
SUPPORT-TECHNIKER
Mahesh_S
beantwortet vor 7 Monaten
0

Hello there,

I just checked it again and observed that we have new change in MSK Serverless which allows you to add Cluster Policy.

You can customise that cluster policy by clicking on Advanced option and give the required actions and resources.

Please refer to the below screenshot:

Enter image description here

AWS
SUPPORT-TECHNIKER
Mahesh_S
beantwortet vor 7 Monaten
0

Thanks Mahesh,

That's looks like exactly what I need. However when I try to add "kafka-cluster:*" actions to this policy I got the following errors:

The cluster policy is not valid. Action field includes AWS services that inconsistent with specified vendor.

Enter image description here

Is there anything I'm doing wrong?

The consumer application requires "kafka-cluster:Connect" permissions to connect to Kafka cluster - https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions:~:text=to%20serverless%20clusters-,kafka%2Dcluster%3AConnect,-Grants%20permission%20to.

When I try connecting with permissions on your screenshot I get Access Denied error.

Thanks, Pavel

Pavel Mikhalchuk
beantwortet vor 7 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt