Is it possible to run MSK connect with cross-account MSK Serverless cluster?

1

Hi team,

My user case: I have a centralized MSK Serverless cluster in one AWS account (Kafka Account). Other teams will be accessing this cluster from their own AWS accounts using Private Link and cross-account IAM Role configured in Kafka Account. They also need to run MSK Connect in their accounts and connect to MSK Serverless in Kafka Account.

Question: Is there a way to tell MSK Connect to assume role in a different account?

Currently I can't seem to find a way to do it. When I create MSK connector and supply cross-account IAM role I'm getting an error that it is not allowed. Also resource based policy seems to be available for MSK Provisioned but not for MSK Serverless. Per https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-workers.html MSK Connect worker config doesn't accept "sasl.*" properties so I can't specify cross-account role in configuration properties.

Any help would really be appreciated!

asked 10 months ago486 views
4 Answers
1

Thanks a lot Mahesh!

If it's possible to share approx. ETA of resource based policy availability for MSK Serverless that would be super helpful. I see there is a cluster Policy in AWS console for MSK Serverless cluster that allow some sharing with other accounts but I can't add "kafka-cluster:*" actions to it.

answered 8 months ago
0

Hello there,

As MSK Serverless only supports IAM Authentication, and it doesn’t have any resource based policy yet, unfortunately, it is not possible to access MSK Serverless cluster from cross account MSK Connect at the moment.

AWS
SUPPORT ENGINEER
answered 8 months ago
0

Hello there,

I just checked it again and observed that we have new change in MSK Serverless which allows you to add Cluster Policy.

You can customise that cluster policy by clicking on Advanced option and give the required actions and resources.

Please refer to the below screenshot:

Enter image description here

AWS
SUPPORT ENGINEER
answered 8 months ago
0

Thanks Mahesh,

That's looks like exactly what I need. However when I try to add "kafka-cluster:*" actions to this policy I got the following errors:

The cluster policy is not valid. Action field includes AWS services that inconsistent with specified vendor.

Enter image description here

Is there anything I'm doing wrong?

The consumer application requires "kafka-cluster:Connect" permissions to connect to Kafka cluster - https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions:~:text=to%20serverless%20clusters-,kafka%2Dcluster%3AConnect,-Grants%20permission%20to.

When I try connecting with permissions on your screenshot I get Access Denied error.

Thanks, Pavel

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions