Step 2: Create an IAM role granting access to create topics on the Amazon MSK cluster
In this step, you perform two tasks. The first task is to create an IAM policy that grants access to create topics on the cluster and to send data to those topics. The second task is to create an IAM role and associate this policy with it. In a later step, you create a client machine that assumes this role and uses it to create a topic on the cluster and to send data to that topic.
To create an IAM policy that makes it possible to create topics and write to them
Open the IAM console at https://console.aws.amazon.com/iam/
. On the navigation pane, choose Policies.
Choose Create Policy.
Choose the JSON tab, then replace the JSON in the editor window with the following JSON.
Replace
region
with the code of the AWS region where you created your cluster. ReplaceAccount-ID
with your account ID. ReplaceMSKTutorialCluster
with the name of your cluster.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafka-cluster:Connect", "kafka-cluster:AlterCluster", "kafka-cluster:DescribeCluster" ], "Resource": [ "arn:aws:kafka:region:Account-ID:cluster/MSKTutorialCluster/*" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:*Topic*", "kafka-cluster:WriteData", "kafka-cluster:ReadData" ], "Resource": [ "arn:aws:kafka:region:Account-ID:topic/MSKTutorialCluster/*" ] }, { "Effect": "Allow", "Action": [ "kafka-cluster:AlterGroup", "kafka-cluster:DescribeGroup" ], "Resource": [ "arn:aws:kafka:region:Account-ID:group/MSKTutorialCluster/*" ] } ] }
For instructions on how to write secure policies, see IAM access control.
Choose Next: Tags.
Choose Next: Review.
For the policy name, enter a descriptive name, such as msk-tutorial-policy.
Choose Create policy.
To create an IAM role and attach the policy to it
On the navigation pane, choose Roles.
Choose Create role.
Under Common use cases, choose EC2, then choose Next: Permissions.
In the search box, enter the name of the policy that you previously created for this tutorial. Then select the box to the left of the policy.
Choose Next: Tags.
Choose Next: Review.
For the role name, enter a descriptive name, such as msk-tutorial-role.
Choose Create role.
Next Step
Step 3: Create a client machine