Create authorization policies for the IAM role
Attach an authorization policy to the IAM role that corresponds to the client. In an authorization policy, you specify which actions to allow or deny for the role. If your client is on an Amazon EC2 instance, associate the authorization policy with the IAM role for that Amazon EC2 instance. Alternatively, you can configure your client to use a named profile, and then you associate the authorization policy with the role for that named profile. Configure clients for IAM access control describes how to configure a client to use a named profile.
For information about how to create an IAM policy, see Creating IAM policies.
The following is an example authorization policy for a cluster named
MyTestCluster. To understand the semantics of the Action and
Resource elements, see Semantics of IAM authorization policy actions and resources.
Important
Changes that you make to an IAM policy are reflected in the IAM APIs and the AWS CLI immediately. However, it can take noticeable time for the policy change to take effect. In most cases, policy changes take effect in less than a minute. Network conditions may sometimes increase the delay.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafka-cluster:Connect", "kafka-cluster:AlterCluster", "kafka-cluster:DescribeCluster" ], "Resource": [ "arn:aws:kafka:us-east-1:0123456789012:cluster/MyTestCluster/abcd1234-0123-abcd-5678-1234abcd-1" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:*Topic*", "kafka-cluster:WriteData", "kafka-cluster:ReadData" ], "Resource": [ "arn:aws:kafka:us-east-1:0123456789012:topic/MyTestCluster/*" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:AlterGroup", "kafka-cluster:DescribeGroup" ], "Resource": [ "arn:aws:kafka:us-east-1:0123456789012:group/MyTestCluster/*" ] } ] }
To learn how to create a policy with action elements that correspond to common Apache Kafka use cases, like producing and consuming data, see Common use cases for client authorization policy.
For Kafka versions 2.8.0 and above, the WriteDataIdempotently permission is deprecated (KIP-679enable.idempotence = true is set. Therefore, for Kafka versions 2.8.0 and above, IAM does not offer the same
functionality as Kafka ACLs. It is not possible to WriteDataIdempotently to a topic by only providing WriteData access to that topic. This does not affect the case when WriteData is provided to ALL topics. In that case, WriteDataIdempotently is allowed. This is due to differences in
implementation of IAM logic versus how the Kafka ACLs are implemented.
To work around this, we recommend using a policy similar to the sample below:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafka-cluster:Connect", "kafka-cluster:AlterCluster", "kafka-cluster:DescribeCluster", "kafka-cluster:WriteDataIdempotently" ], "Resource": [ "arn:aws:kafka:us-east-1:0123456789012:cluster/MyTestCluster/abcd1234-0123-abcd-5678-1234abcd-1" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:*Topic*", "kafka-cluster:WriteData", "kafka-cluster:ReadData" ], "Resource": [ "arn:aws:kafka:us-east-1:0123456789012:topic/MyTestCluster/abcd1234-0123-abcd-5678-1234abcd-1/TestTopic" ] } ] }
In this case, WriteData allows writes to TestTopic, while WriteDataIdempotently allows idempotent writes to the cluster. It is important to note that WriteDataIdempotently is a cluster level permission. It cannot be used at the topic level. If WriteDataIdempotently is restricted to the topic level, this policy will not work.
