MSK Connect - Failed to create using in-built AWSServiceRoleForKafkaConnect role

Question

I have created many connectors already using very similar configuration. Since yesterday (25th Jan 2022) I am unable to create a kafka connector using the AWSServiceRoleForKafkaConnect role. The existing connectors that have already been created are still working fine. Here is the error I get when clicking Create Connector on the last page in the form:

`Error creating connector
There was a problem creating a connector. If the problem persists, contact AWS Support.
API response
Invalid parameter serviceExecutionRoleArn: A service linked role ARN cannot be provided as service execution role ARN.`

I have tried to create a connector with the same configuration that has already worked, only now I'm receiving the error above. Has something been updated around this? Do I need to create a new service role?

Other Details:
Using small MSK cluster with Authenticate=None
using camel connector jar file (that is currently working with other connectors)

Answer

Hi there, there were some recent changes made to the use of Service Linked Roles (SLR) as an execution role for Amazon MSK Connect Connectors. SLRs are no longer allowed to be used as the execution role. This may not affect Connectors which do not interact with Amazon MSK clusters or other resources using IAM authentication, but will affect any interaction with IAM controlled resources. It is recommend that all connector execution roles use customer managed roles with Trust Relationships including kafkaconnect.amazonaws.com. See the documentation on Service Execution Roles (1) for more details.

Currently the console allows the selection of an SLR (AWSServiceRoleForKafkaConnect) as the execution role, this will be removed in future updates and should not be used when creating connectors.

(1) https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-service-execution-role.html

Currently the console allows the selection of an SLR (AWSServiceRoleForKafkaConnect) as the execution role, this will be removed in future updates and should not be used when creating connectors.

(1) https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-service-execution-role.html

MSK Connect - Failed to create using in-built AWSServiceRoleForKafkaConnect role

관련 콘텐츠