View a markdown version of this page

Additional SER permissions for SASL/SCRAM and customer managed keys - Amazon Managed Streaming for Apache Kafka

Additional SER permissions for SASL/SCRAM and customer managed keys

The AWSMSKReplicatorExecutionRole managed policy covers cluster, topic, and consumer group permissions for IAM auth. When you replicate to or from a cluster that uses SASL/SCRAM authentication (for example, when migrating from a self-managed Apache Kafka cluster), or when your SCRAM secret or private CA certificate is encrypted with a customer managed key (CMK), you need to attach additional inline permissions to the service execution role.

Use the snippets below in addition to the managed policy. Pick the scenario that matches your setup.

SASL/SCRAM secret (with or without TLS root CA secret)

Grants the SER permission to read SCRAM credentials and (optionally) the private CA certificate from AWS Secrets Manager. Replace <saslSecretArn> with your SCRAM secret ARN and <privateCaCertSecretArn> with the secret holding the CA certificate (omit the second ARN if you use a publicly trusted certificate).

{
    "Version": "2012-10-17", 
    "Statement": [
        {
            "Sid": "SecretsManagerPermissions",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": [
                "<saslSecretArn>",
                "<privateCaCertSecretArn>"
            ]
        }
    ]
}
SCRAM secret or CA certificate encrypted with a customer managed key

If the secret or certificate is encrypted with a CMK rather than the AWS-managed key, also grant kms:Decrypt on the CMK. Replace <customerManagedKeyArn> with the CMK ARN.

{
    "Version": "2012-10-17", 
    "Statement": [
        {
            "Sid": "SecretsManagerPermissions",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": [
                "<saslSecretArn>",
                "<privateCaCertSecretArn>"
            ]
        },
        {
            "Sid": "KmsPermissions",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": [
                "<customerManagedKeyArn>"
            ]
        }
    ]
}
Note

If you prefer wider scoping consistent with the MSK Connect configuration provider permissions, you can use arn:aws:secretsmanager:<region>:<accountID>:secret:AmazonMSK_* as the resource pattern instead of individual secret ARNs.