How do you setup cross-account IAM authentication in AWS MSK?

Question

We have an AWS MSK Cluster setup with IAM Authentication in Account A. We are able to setup an IAM Role in Account A, and allow that role to be assumed by a user in Account B to allow a user cross-account access to the cluster. If we want to run something like AWS Glue for example in Account B that needs to run as an IAM Role in Account B, how can we setup cross-account access to the Cluster in Account A? For other services we would configure a service policy that allows the cross-account trust relationship. I do not see anything like this on the MSK Cluster resource. The only thing I can think of is to use SCRAM authentication with pre-shared user credentials in a secret. However, we really need to use IAM authentication for compliance.

Accepted Answer

We ended up using the cross-account assume role. We setup a role in Account B that allowed the needed access to MSK and allow sts:AssumeRole from Account A. We then added a policy to the Glue execution role in Account A that allows assuming the role in Account B. In Glue, we then setup the https://github.com/aws/aws-msk-iam-auth handler to assume the role in Account B.

How do you setup cross-account IAM authentication in AWS MSK?

関連するコンテンツ