MSK Connect 的 IAM policy 示例
要向非管理员用户授予对所有 MSK Connect 功能的完全访问权限,请将如下策略附加到该用户的 IAM 角色。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafkaconnect:*", "ec2:CreateNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeSecurityGroups", "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/kafkaconnect.amazonaws.com/AWSServiceRoleForKafkaConnect*", "Condition": { "StringLike": { "iam:AWSServiceName": "kafkaconnect.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/kafkaconnect.amazonaws.com/AWSServiceRoleForKafkaConnect*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery*", "Condition": { "StringLike": { "iam:AWSServiceName": "delivery.logs.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:PutBucketPolicy", "s3:GetBucketPolicy" ], "Resource": "ARN of the Amazon S3 bucket to which you want MSK Connect to deliver logs" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "ARN of the service execution role" }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "ARN of the Amazon S3 object that corresponds to the custom plugin that you want to use for creating connectors" }, { "Effect": "Allow", "Action": "firehose:TagDeliveryStream", "Resource": "ARN of the Firehose delivery stream to which you want MSK Connect to deliver logs" } ] }
