Create an IAM role for topics on MSK Serverless cluster
In this step, you perform two tasks. The first task is to create an IAM policy that grants access to create topics on the cluster and to send data to those topics. The second task is to create an IAM role and associate this policy with it. In a later step, we create a client machine that assumes this role and uses it to create a topic on the cluster and to send data to that topic.
To create an IAM policy that makes it possible to create topics and write to them
Open the IAM console at https://console.aws.amazon.com/iam/
. -
On the navigation pane, choose Policies.
-
Choose Create Policy.
-
Choose the JSON tab, then replace the JSON in the editor window with the following JSON.
Replace
region
with the code of the AWS Region where you created your cluster. ReplaceAccount-ID
with your account ID. Replacemsk-serverless-tutorial-cluster
with the name of your serverless cluster.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafka-cluster:Connect", "kafka-cluster:AlterCluster", "kafka-cluster:DescribeCluster" ], "Resource": [ "arn:aws:kafka:
region
:Account-ID
:cluster/msk-serverless-tutorial-cluster
/*" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:*Topic*", "kafka-cluster:WriteData", "kafka-cluster:ReadData" ], "Resource": [ "arn:aws:kafka:region
:Account-ID
:topic/msk-serverless-tutorial-cluster
/*" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:AlterGroup", "kafka-cluster:DescribeGroup" ], "Resource": [ "arn:aws:kafka:region
:Account-ID
:group/msk-serverless-tutorial-cluster
/*" ] } ] }For instructions on how to write secure policies, see IAM access control.
Choose Next: Tags.
Choose Next: Review.
For the policy name, enter a descriptive name, such as
msk-serverless-tutorial-policy
.Choose Create policy.
To create an IAM role and attach the policy to it
On the navigation pane, choose Roles.
Choose Create role.
Under Common use cases, choose EC2, then choose Next: Permissions.
In the search box, enter the name of the policy that you previously created for this tutorial. Then select the box to the left of the policy.
Choose Next: Tags.
-
Choose Next: Review.
-
For the role name, enter a descriptive name, such as
msk-serverless-tutorial-role
. -
Choose Create role.
Next Step
Create a client machine to access MSK Serverless cluster