本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
创建 Amazon MSK 复制器的注意事项
以下各节简要介绍了使用 MSK 复制器功能的先决条件、支持的配置和最佳实践。它涵盖了必要的权限、集群兼容性和 Serverless 特定的要求,以及有关创建后如何管理复制器的指导。
创建 MSK 复制器所需的 IAM 权限
以下是创建 MSK 复制器所需的 IAM policy 示例。只有在创建 MSK 复制器时提供了标签的情况下,才需要执行 kafka:TagResource 操作。应将复制器 IAM 策略附加到与您的客户端对应的 IAM 角色。有关创建授权策略的信息,请参阅创建授权策略。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MSKReplicatorIAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::123456789012:role/MSKReplicationRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": "kafka.amazonaws.com"
}
}
},
{
"Sid": "MSKReplicatorServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::123456789012:role/aws-service-role/kafka.amazonaws.com/AWSServiceRoleForKafka*"
},
{
"Sid": "MSKReplicatorEC2Actions",
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0abcd1234ef56789",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-0123abcd4567ef89",
"arn:aws:ec2:us-east-1:123456789012:network-interface/eni-0a1b2c3d4e5f67890",
"arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0a1b2c3d4e5f67890"
]
},
{
"Sid": "MSKReplicatorActions",
"Effect": "Allow",
"Action": [
"kafka:CreateReplicator",
"kafka:TagResource"
],
"Resource": [
"arn:aws:kafka:us-east-1:123456789012:cluster/myCluster/abcd1234-56ef-78gh-90ij-klmnopqrstuv",
"arn:aws:kafka:us-east-1:123456789012:replicator/myReplicator/wxyz9876-54vu-32ts-10rq-ponmlkjihgfe"
]
}
]
}
以下是描述复制器的示例 IAM policy。需要 kafka:DescribeReplicator 操作或 kafka:ListTagsForResource 操作之一即可,而不是两者都需要。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kafka:DescribeReplicator",
"kafka:ListTagsForResource"
],
"Resource": "*"
}
]
}
