Amazon MSK Authentication and Authorization


Hello world,

Let's say I have 3 sets of users consuming 2 topics and I want: User 1 to have full control to both topics; User 2 can have full control to topic 1; User 3 can subscribe to topic 2.

What is the best way of implementing such?

Thank you

asked 3 years ago1558 views
1 Answer

The recommended way to achieve this is using IAM authentication. IAM controls both who can be authenticated and authorized to use Amazon MSK resources. For your use case, "kafka-cluster:" Action must be allowed on all topics (eg : arn:aws:kafka:<region>:<account>:topic/ClusterName/) in the authorization policy of User 1.

Similar authorization policy can be used for User 2 and User 3 but only for one topic ( arn:aws:kafka:<region>:<account>:topic/ClusterName/<topicname>). Complete information about IAM authentication and authorization - [1]

One other way if using SASL/SCRAM or TLS auth is to use ACLs. By setting ACLs you can restrict who can access topics - [2]

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions