By using AWS re:Post, you agree to the Terms of Use
/Amazon MSK Authentication and Authorization/

Amazon MSK Authentication and Authorization

0

Hello world,

Let's say I have 3 sets of users consuming 2 topics and I want: User 1 to have full control to both topics; User 2 can have full control to topic 1; User 3 can subscribe to topic 2.

What is the best way of implementing such?

Thank you

1 Answers
0

The recommended way to achieve this is using IAM authentication. IAM controls both who can be authenticated and authorized to use Amazon MSK resources. For your use case, "kafka-cluster:" Action must be allowed on all topics (eg : arn:aws:kafka:<region>:<account>:topic/ClusterName/) in the authorization policy of User 1.

Similar authorization policy can be used for User 2 and User 3 but only for one topic ( arn:aws:kafka:<region>:<account>:topic/ClusterName/<topicname>). Complete information about IAM authentication and authorization - [1] https://aws.amazon.com/blogs/big-data/securing-apache-kafka-is-easy-and-familiar-with-iam-access-control-for-amazon-msk/.

One other way if using SASL/SCRAM or TLS auth is to use ACLs. By setting ACLs you can restrict who can access topics - [2] https://docs.aws.amazon.com/msk/latest/developerguide/msk-acls.html

SUPPORT ENGINEER
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions