By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do you setup cross-account IAM authentication in AWS MSK?

0

We have an AWS MSK Cluster setup with IAM Authentication in Account A. We are able to setup an IAM Role in Account A, and allow that role to be assumed by a user in Account B to allow a user cross-account access to the cluster. If we want to run something like AWS Glue for example in Account B that needs to run as an IAM Role in Account B, how can we setup cross-account access to the Cluster in Account A? For other services we would configure a service policy that allows the cross-account trust relationship. I do not see anything like this on the MSK Cluster resource. The only thing I can think of is to use SCRAM authentication with pre-shared user credentials in a secret. However, we really need to use IAM authentication for compliance.

Topics
Security, Identity, & ComplianceAnalytics
Tags
AWS Identity and Access ManagementAmazon Managed Streaming for Apache Kafka (Amazon MSK)
Language
English
dude0001
asked 2 years ago3397 views
1 Answer
0
Accepted Answer

We ended up using the cross-account assume role. We setup a role in Account B that allowed the needed access to MSK and allow sts:AssumeRole from Account A. We then added a policy to the Glue execution role in Account A that allows assuming the role in Account B. In Glue, we then setup the https://github.com/aws/aws-msk-iam-auth handler to assume the role in Account B.

dude0001
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content