Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

How do you setup cross-account IAM authentication in AWS MSK?

0

We have an AWS MSK Cluster setup with IAM Authentication in Account A. We are able to setup an IAM Role in Account A, and allow that role to be assumed by a user in Account B to allow a user cross-account access to the cluster. If we want to run something like AWS Glue for example in Account B that needs to run as an IAM Role in Account B, how can we setup cross-account access to the Cluster in Account A? For other services we would configure a service policy that allows the cross-account trust relationship. I do not see anything like this on the MSK Cluster resource. The only thing I can think of is to use SCRAM authentication with pre-shared user credentials in a secret. However, we really need to use IAM authentication for compliance.

Temas
Seguridad, identidad y cumplimientoAnálisis
Etiquetas
AWS Identity and Access ManagementAmazon Managed Streaming for Apache Kafka (Amazon MSK)
Idioma
English
dude0001
preguntada hace 2 años3452 visualizaciones
1 Respuesta
0
Respuesta aceptada

We ended up using the cross-account assume role. We setup a role in Account B that allowed the needed access to MSK and allow sts:AssumeRole from Account A. We then added a policy to the Glue execution role in Account A that allows assuming the role in Account B. In Glue, we then setup the https://github.com/aws/aws-msk-iam-auth handler to assume the role in Account B.

dude0001
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante