Creating a policy for Apache Kafka (MSK)

Question

Hi guys.
Help me please.
I have a task, I need to create a policy with these permissions

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
```
But when I specify "Resource": [ "*" ] then I see the message
```
PassRole With Star In Resource: Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement. Learn more 
```
My task is that I could bind the "Resource" to the user account and preferably to the region in which it works. But no matter how many options I try JSON, I get an error
![Enter image description here](/media/postImages/original/IMRb6OqvlZR6iFSb4aa3T-8Q)
My JSON code looks like this.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
            "iam:CreateRole",
            "iam:PutRolePolicy",
            "iam:PassRole"
            ],     
            "Resource":[
                "arn:aws:iam::123456789012:/*"
          
           ]
        },
        {
                "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:UpdateFunctionCode"
     ],
            "Resource": [
                "arn:aws:lambda:eu-central-1::123456789012:user/xxxx*",
                "arn:aws:lambda:us-west-2::123456789012:user/xxxx*"
            ]
        }
]
}
```

I have tried many different options but can't get the result I want.
Help me please.

Niko · Answer

Have you tried using Visual editor to help you with this? It guides you with policy creation.

The policy you've provided allows all actions you listed on all resources (*) with an "Allow" effect. This is likely too permissive and could pose a security risk.
You should specify the specific resources and actions that are needed for your use case. For instance, you can specify a specific Amazon Resource Name (ARN) for the resource.
You should also consider adding a condition to the policy. This will allow you to further restrict access to the resources and actions. For example, you can restrict access to a specific IP address, user, or time of day.

Here is an example policy that is more restrictive:

```
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "iam:CreateRole",
            "iam:PutRolePolicy",
            "lambda:CreateFunction",
            "lambda:InvokeAsync",
            "lambda:InvokeFunction",
            "iam:PassRole"
         ],
         "Resource":[
            "arn:aws:iam::123456789012:role/lambda-execution-role"
         ],
         "Condition":{
            "IpAddress":{
               "aws:SourceIp":"192.0.2.0/24"
            }
         }
      }
   ]
}
```

The above example policy is just an example, you should use values that match your use case.

Creating a policy for Apache Kafka (MSK)

Add your answer

Relevant content