Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Msk Secrets Manager Resource policy changed by kafka.amazonaws.com

0

So we deployed our secrets manager with user and passoword in one account and a resource policy with following statement:

{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AWSKafkaResourcePolicy", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::{ourAccountId}:root", "Service" : "kafka.amazonaws.com" }, "Action" : [ "secretsmanager:getSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "arn:aws:secretsmanager:eu-central-1:{mskAccId}:secret:AmazonMSK_eos-datapipeline-ads-all-prod-12345" } ] } And after resource creation i see a couple of seconds later an event in CloudTrail, generated by Username {mskAccId}, sourceIp kafka.amazonaws.com, overriding my policy with the following(no AWS principal and no "secretsmanager:DescribeSecret" ):

{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AWSKafkaResourcePolicy", "Effect" : "Allow", "Principal" : { "Service" : "kafka.amazonaws.com" }, "Action" : [ "secretsmanager:getSecretValue" ], "Resource" : "arn:aws:secretsmanager:eu-central-1:{mskAccId}:secret:AmazonMSK_eos-datapipeline-ads-all-prod-12345" } ] }

Any idea why?

I ll leave more info from the event in case u consider them relevant:

eventType": "AwsApiCall", "sourceIPAddress": "kafka.amazonaws.com", "userAgent": "kafka.amazonaws.com", "eventCategory": "Management"

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
Amazon Managed Streaming for Apache Kafka (Amazon MSK)AWS Secrets Manager
Language
English
asked a year ago202 views
1 Answer
0

When you associate a secret with an Amazon MSK cluster for SASL/SCRAM authentication, MSK automatically modifies the resource policy of the secret to ensure it has the necessary permissions to access the secret. This is part of the normal operation when using AWS Secrets Manager for sign-in credentials authentication with MSK.

The modification you're seeing in CloudTrail is Amazon MSK service updating the resource policy to ensure it has the proper access to the secret. MSK specifically needs the secretsmanager:GetSecretValue permission to retrieve the credentials stored in the secret.

The service removes the AWS account root principal and the secretsmanager:DescribeSecret permission because MSK only requires the minimum permissions necessary to function properly, which is retrieving the secret value. This follows the principle of least privilege.

When using Secrets Manager with MSK, the service periodically syncs credential data from the secret to the MSK cluster. This automatic synchronization requires the service to have access to the secret, which is why it modifies the resource policy to ensure it has the necessary permissions.

If you need to maintain additional permissions in the resource policy, you might need to implement a solution that restores your desired policy after MSK makes its changes, but be careful not to remove the permissions that MSK requires to function properly.
Sources
Sign-in credentials authentication with AWS Secrets Manager - Amazon Managed Streaming for Apache Kafka
Resource-based policies - AWS Secrets Manager

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content