Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Service-linked role permissions for Amazon MSK

PDF
RSS
Focus mode
Service-linked role permissions for Amazon MSK - Amazon Managed Streaming for Apache Kafka

Amazon MSK uses the service-linked role named AWSServiceRoleForKafka. Amazon MSK uses this role to access your resources and perform operations such as:

  • *NetworkInterface – create and manage network interfaces in the customer account that make cluster brokers accessible to clients in the customer VPC.

  • *VpcEndpoints – manage VPC endpoints in the customer account that make cluster brokers accessible to clients in the customer VPC using AWS PrivateLink. Amazon MSK uses permissions to DescribeVpcEndpoints, ModifyVpcEndpoint and DeleteVpcEndpoints.

  • secretsmanager – manage client credentials with AWS Secrets Manager.

  • GetCertificateAuthorityCertificate – retrieve the certificate for your private certificate authority.

This service-linked role is attached to the following managed policy: KafkaServiceRolePolicy. For updates to this policy, see KafkaServiceRolePolicy.

The AWSServiceRoleForKafka service-linked role trusts the following services to assume the role:

  • kafka.amazonaws.com

The role permissions policy allows Amazon MSK to complete the following actions on resources.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ec2:CreateNetworkInterface",
				"ec2:DescribeNetworkInterfaces",
				"ec2:CreateNetworkInterfacePermission",
				"ec2:AttachNetworkInterface",
				"ec2:DeleteNetworkInterface",
				"ec2:DetachNetworkInterface",
				"ec2:DescribeVpcEndpoints",
				"acm-pca:GetCertificateAuthorityCertificate",
				"secretsmanager:ListSecrets"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ec2:ModifyVpcEndpoint"
			],
			"Resource": "arn:*:ec2:*:*:subnet/*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ec2:DeleteVpcEndpoints",
				"ec2:ModifyVpcEndpoint"
			],
			"Resource": "arn:*:ec2:*:*:vpc-endpoint/*",
			"Condition": {
				"StringEquals": {
					"ec2:ResourceTag/AWSMSKManaged": "true"
				},
				"StringLike": {
					"ec2:ResourceTag/ClusterArn": "*"
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": [
				"secretsmanager:GetResourcePolicy",
				"secretsmanager:PutResourcePolicy",
				"secretsmanager:DeleteResourcePolicy",
				"secretsmanager:DescribeSecret"
			],
			"Resource": "*",
			"Condition": {
				"ArnLike": {
					"secretsmanager:SecretId": "arn:*:secretsmanager:*:*:secret:AmazonMSK_*"
				}
			}
		}
	]
}

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.