Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

MSK Serverless - Not authorized to access group <groupName> error

0

Hi I've created a kafka cluster and enabled IAM authentication, I'm running an app in ECS cluster. I have mapped a role this ECS task and this role has this policy, I can able create topic, delete topics from java client.

But I got below error

org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: <consumer-group-name>

So I've changed my policy from this

        {
          "Sid" : "AllowedKafkaPermissions",
          "Effect" : "Allow",
          "Action" : [
            "kafka-cluster:Connect",
            "kafka-cluster:ReadData",
            "kafka-cluster:CreateTopic",
            "kafka-cluster:AlterTopic",
            "kafka-cluster:DeleteTopic",
            "kafka-cluster:WriteData",
            "kafka-cluster:WriteDataIdempotently",
            "kafka-cluster:Describe*",
            "kafka:Describe*",
            "kafka:List*",
            "kafka:Get*"
          ],
          "Resource" : [
            "arn:aws:kafka:${var.aws_region}:${var.aws_account_id}:topic/${local.kafka_cluster_name}/*/*",
            "arn:aws:kafka:${var.aws_region}:${var.aws_account_id}:cluster/${local.kafka_cluster_name}/*",
            "arn:aws:kafka:${var.aws_region}:${var.aws_account_id}:group/${local.kafka_cluster_name}/*/*",
          ]
        }

to this

{
          "Sid" : "AllowedKafkaPermissions",
          "Effect" : "Allow",
          "Action" : [
            "kafka-cluster:Connect",
            "kafka-cluster:AlterCluster",
            "kafka-cluster:ReadData",
            "kafka-cluster:CreateTopic",
            "kafka-cluster:AlterTopic",
            "kafka-cluster:DeleteTopic",
            "kafka-cluster:WriteData",
            "kafka-cluster:WriteDataIdempotently",
            "kafka-cluster:Describe*",
            "kafka-cluster:AlterTransactionalId",
            "kafka:Describe*",
            "kafka:List*",
            "kafka:Get*"
          ],
          "Resource" : [
            "arn:aws:kafka:${var.aws_region}:${var.aws_account_id}:topic/${local.kafka_cluster_name}/*/*",
            "arn:aws:kafka:${var.aws_region}:${var.aws_account_id}:cluster/${local.kafka_cluster_name}/*",
            "arn:aws:kafka:${var.aws_region}:${var.aws_account_id}:group/${local.kafka_cluster_name}/*/*",
          ]
        }

Still, the issue is not resolved. What should I do to resolve this issue? Do i need to put a Kafka ACL entry to resolve this issue or it can be handled via IAM policy?

Can someone help me on this..

Topics
Analytics
Tags
Amazon Managed Streaming for Apache Kafka (Amazon MSK)
Language
English
asked 2 years ago409 views
2 Answers
0

Hi,

To precisely locate the auth that is missing at IAM level, I would suggest you to leverage AWS CloudTrail: you will be able to collect all the API calls made to the various services and locate which one fails, hence locate which auth is missing.

See:

  1. https://alexlo9312.medium.com/find-the-minimum-aws-iam-permission-set-using-cloudtrail-ed730882d040
  2. https://engineering.remind.com/cloudtrail-debugging/

Best,

Didier

EXPERT
answered 2 years ago
0

Try to add the following actions to the IAM policy:

kafka-cluster:AlterGroup
AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content