How do you setup cross-account IAM authentication in AWS MSK?
We have an AWS MSK Cluster setup with IAM Authentication in Account A. We are able to setup an IAM Role in Account A, and allow that role to be assumed by a user in Account B to allow a user cross-account access to the cluster. If we want to run something like AWS Glue for example in Account B that needs to run as an IAM Role in Account B, how can we setup cross-account access to the Cluster in Account A? For other services we would configure a service policy that allows the cross-account trust relationship. I do not see anything like this on the MSK Cluster resource. The only thing I can think of is to use SCRAM authentication with pre-shared user credentials in a secret. However, we really need to use IAM authentication for compliance.
We ended up using the cross-account assume role. We setup a role in Account B that allowed the needed access to MSK and allow sts:AssumeRole from Account A. We then added a policy to the Glue execution role in Account A that allows assuming the role in Account B. In Glue, we then setup the https://github.com/aws/aws-msk-iam-auth handler to assume the role in Account B.
IAM Policy that allows only access to "Switch Role"asked 2 months ago
Using MSK as trigger to a Lambda with SASL/SCRAM Authenticationasked a month ago
How do you setup cross-account IAM authentication in AWS MSK?Accepted Answerasked 4 months ago
How do you automate IAM Role Creation in Customers AWS account?asked a month ago
Aws MSK security behaviour when both IAM and SCRAM enabledAccepted Answerasked 6 months ago
AWS MSK IAM Authentication with MSK Connectasked 5 months ago
Amazon MSK Authentication and Authorizationasked 6 months ago
How to connect Glue to MSK with IAM authentication?asked 7 months ago
MSK Connect - Failed to create using in-built AWSServiceRoleForKafkaConnect roleasked 5 months ago
Is it possible to assign MFA for AWS IAM role?asked 5 months ago