Understand service execution role - Amazon Managed Streaming for Apache Kafka

Understand service execution role

Note

Amazon MSK Connect does not support using the Service-linked role as the service execution role. You must create a separate service execution role. For instructions on how to create a custom IAM role, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

When you create a connector with MSK Connect, you are required to specify an AWS Identity and Access Management (IAM) role to use with it. Your service execution role must have the following trust policy so that MSK Connect can assume it. For information about the condition context keys in this policy, see Prevent cross-service confused deputy problem.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "kafkaconnect.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "Account-ID" }, "ArnLike": { "aws:SourceArn": "MSK-Connector-ARN" } } } ] }

If the Amazon MSK cluster that you want to use with your connector is a cluster that uses IAM authentication, then you must add the following permissions policy to the connector's service execution role. For information on how to find your cluster's UUID and how to construct topic ARNs, see Authorization policy resources.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafka-cluster:Connect", "kafka-cluster:DescribeCluster" ], "Resource": [ "cluster-arn" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:ReadData", "kafka-cluster:DescribeTopic" ], "Resource": [ "ARN of the topic that you want a sink connector to read from" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:WriteData", "kafka-cluster:DescribeTopic" ], "Resource": [ "ARN of the topic that you want a source connector to write to" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:CreateTopic", "kafka-cluster:WriteData", "kafka-cluster:ReadData", "kafka-cluster:DescribeTopic" ], "Resource": [ "arn:aws:kafka:region:account-id:topic/cluster-name/cluster-uuid/__amazon_msk_connect_*" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:AlterGroup", "kafka-cluster:DescribeGroup" ], "Resource": [ "arn:aws:kafka:region:account-id:group/cluster-name/cluster-uuid/__amazon_msk_connect_*", "arn:aws:kafka:region:account-id:group/cluster-name/cluster-uuid/connect-*" ] } ] }

Depending on the kind of connector, you might also need to attach to the service execution role a permissions policy that allows it to access AWS resources. For example, if your connector needs to send data to an S3 bucket, then the service execution role must have a permissions policy that grants permission to write to that bucket. For testing purposes, you can use one of the pre-built IAM policies that give full access, like arn:aws:iam::aws:policy/AmazonS3FullAccess. However, for security purposes, we recommend that you use the most restrictive policy that allows your connector to read from the AWS source or write to the AWS sink.