本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
创建 MSK 复制器所需的 IAM 权限
调用的 IAM 委托人(用户或角色)CreateReplicator需要本节中描述的权限。将此策略附加到与您的客户端对应的 IAM 身份。有关创建授权策略的一般指南,请参阅创建授权策略。
从下面的基本政策开始。如果您还配置了日志传输,请为使用的每个目标附加代码段(请参阅日志传送的其他权限)。有关自我管理的 Apache Kafka 迁移场景,请参阅中的其他服务执行角色指南。从非 MSK Apache Kafka 集群迁移到亚马逊 MSK Express 经纪商
基本的 IAM 政策
将占位符替换为您的账户 ID、 AWS 区域、服务执行角色名称以及源和目标集群 ARN。kafka:TagResource只有在创建过程中提供标签时才需要执行此操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "MSKReplicatorIAMPassRole", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::<accountID>:role/<serviceExecutionRoleName>", "Condition": { "StringEquals": { "iam:PassedToService": "kafka.amazonaws.com" } } }, { "Sid": "MSKReplicatorServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::<accountID>:role/aws-service-role/kafka.amazonaws.com/AWSServiceRoleForKafka*" }, { "Sid": "MSKReplicatorActions", "Effect": "Allow", "Action": [ "kafka:CreateReplicator", "kafka:DescribeReplicator", "kafka:DeleteReplicator", "kafka:ListReplicators", "kafka:ListTagsForResource", "kafka:UpdateReplicationInfo", "kafka:TagResource" ], "Resource": [ "arn:aws:kafka:<region>:<accountID>:replicator/*" ] }, { "Sid": "MSKReplicatorListActions", "Effect": "Allow", "Action": [ "kafka:ListReplicators" ], "Resource": [ "*" ] }, { "Sid": "EC2Actions", "Effect": "Allow", "Action": [ "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs" ], "Resource": [ "*" ] }, { "Sid": "MSKClusterActions", "Effect": "Allow", "Action": [ "kafka:GetBootstrapBrokers", "kafka:DescribeClusterV2" ], "Resource": [ "<sourceClusterArn>", "<targetClusterArn>" ] } ] }
注意
ec2:DescribeSubnetsec2:DescribeSecurityGroups、和ec2:DescribeVpcs操作不支持资源级权限,因此必须指定。"Resource": "*"请参阅 Amazon EC2 参考的操作、资源和条件密钥。
