本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
建立 MSK Replicator 所需的 IAM 許可
以下是建立 MSK Replicator 所需的 IAM 政策範例。只有在建立 MSK Replicator 時提供了標籤的情況下,才需要動作 kafka:TagResource。複寫器 IAM 政策應連接至對應至用戶端的 IAM 角色。如需建立授權政策的相關資訊,請參閱建立授權政策。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MSKReplicatorIAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::123456789012:role/MSKReplicationRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": "kafka.amazonaws.com"
}
}
},
{
"Sid": "MSKReplicatorServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::123456789012:role/aws-service-role/kafka.amazonaws.com/AWSServiceRoleForKafka*"
},
{
"Sid": "MSKReplicatorEC2Actions",
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0abcd1234ef56789",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-0123abcd4567ef89",
"arn:aws:ec2:us-east-1:123456789012:network-interface/eni-0a1b2c3d4e5f67890",
"arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0a1b2c3d4e5f67890"
]
},
{
"Sid": "MSKReplicatorActions",
"Effect": "Allow",
"Action": [
"kafka:CreateReplicator",
"kafka:TagResource"
],
"Resource": [
"arn:aws:kafka:us-east-1:123456789012:cluster/myCluster/abcd1234-56ef-78gh-90ij-klmnopqrstuv",
"arn:aws:kafka:us-east-1:123456789012:replicator/myReplicator/wxyz9876-54vu-32ts-10rq-ponmlkjihgfe"
]
}
]
}
以下是描述複寫器的 IAM 政策範例。
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kafka:DescribeReplicator",
"kafka:ListTagsForResource"
],
"Resource": "*"
}
]
}
啟用日誌交付時,您的 IAM 角色必須具有寫入已設定日誌目的地所需的額外許可。如需所需許可,請參閱從 AWS 服務啟用記錄。
