Authorization based on Amazon MSK tags
You can attach tags to Amazon MSK clusters. To control access based on tags, you provide tag information in the condition element of a policy using the kafka:ResourceTag/, key-nameaws:RequestTag/, or key-nameaws:TagKeys condition keys. For information about tagging Amazon MSK resources, see Tag an Amazon MSK cluster.
You can only control cluster access with the help of tags. To tag topics and consumer groups, you need to add a separate statement in your policies without tags.
To view example of an identity-based policy for limiting access to a cluster based on the tags on that cluster, see Accessing Amazon MSK clusters based on tags.
You can use conditions in your identity-based policy to control access to Amazon MSK resources based on tags. The following example shows a policy that allows a user to describe the cluster, get its bootstrap brokers, list its broker nodes, update it, and delete it. However, this policy grants permission only if the cluster tag Owner has the value of that user's username. The second statement in the following policy allows access to the topics on the cluster. The first statement in this policy doesn't authorize any topic access.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessClusterIfOwner", "Effect": "Allow", "Action": [ "kafka:Describe*", "kafka:Get*", "kafka:List*", "kafka:Update*", "kafka:Delete*" ], "Resource": "arn:aws:kafka:us-east-1:123456789012:cluster/*", "Condition": { "StringEquals": { "aws:ResourceTag/Owner": "${aws:username}" } } }, { "Effect": "Allow", "Action": [ "kafka-cluster:*Topic*", "kafka-cluster:WriteData", "kafka-cluster:ReadData" ], "Resource": [ "arn:aws:kafka:us-east-1:123456789012:topic/*" ] } ] }
