本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
MSK Connect 的 IAM 政策範例
若要讓非管理員使用者完整存取所有 MSK Connect 功能,請將類似以下政策的政策連接至使用者的 IAM 角色。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafkaconnect:*", "ec2:CreateNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeSecurityGroups", "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/kafkaconnect.amazonaws.com/AWSServiceRoleForKafkaConnect*", "Condition": { "StringLike": { "iam:AWSServiceName": "kafkaconnect.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/kafkaconnect.amazonaws.com/AWSServiceRoleForKafkaConnect*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery*", "Condition": { "StringLike": { "iam:AWSServiceName": "delivery.logs.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:PutBucketPolicy", "s3:GetBucketPolicy" ], "Resource": "ARN of the Amazon S3 bucket to which you want MSK Connect to deliver logs" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "ARN of the service execution role" }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "ARN of the Amazon S3 object that corresponds to the custom plugin that you want to use for creating connectors" }, { "Effect": "Allow", "Action": "firehose:TagDeliveryStream", "Resource": "ARN of the Firehose delivery stream to which you want MSK Connect to deliver logs" } ] }
