IAM permissions reference

The following table summarizes the IAM actions that the API caller (the IAM principal that calls CreateReplicator and other replicator APIs) needs. For complete policy examples, see IAM permissions required to create an MSK Replicator.

Action	Description
`kafka:CreateReplicator`	Grants permission to create a replicator.
`kafka:DescribeReplicator`	Grants permission to describe a replicator.
`kafka:UpdateReplicationInfo`	Grants permission to update replication info of a replicator.
`kafka:DeleteReplicator`	Grants permission to delete a replicator.
`kafka:ListReplicators`	Grants permission to list replicators.
`kafka:TagResource`	Grants permission to tag a replicator. Only needed if tags are provided during creation.
`kafka:ListTagsForResource`	Grants permission to list tags for a replicator.
`kafka:GetBootstrapBrokers`	Grants permission to retrieve bootstrap broker endpoints for the source and target clusters during replicator creation.
`kafka:DescribeClusterV2`	Grants permission to describe the source and target clusters during replicator creation.
`iam:PassRole`	Grants permission to pass the service execution role to `kafka.amazonaws.com`.
`iam:CreateServiceLinkedRole`	Grants permission to create the `AWSServiceRoleForKafka*` service-linked role on first use.
`ec2:DescribeSubnets`, `ec2:DescribeSecurityGroups`, `ec2:DescribeVpcs`	Grants permission to validate the VPC configuration provided to the replicator.

For service execution role permissions, see the AWSMSKReplicatorExecutionRole managed policy. For SASL/SCRAM and customer managed key scenarios, see Additional SER permissions for SASL/SCRAM and customer managed keys.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Log delivery permissions

Pricing