Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

MSK with SASL/SCRAM authentication. I can access the cluster but cant perform any action

0

Hi,

We're currently building an MSK cluster. We use 2 types of authentication for 2 different clients.

The IAM authentication works fine.

But for the SASL/SCRAM authentication that it's not the case, we created a secret for username/password connection and linked it to the MSK cluster.

Using our client or with a UI client for windows it's the same issue we have a connection but with limited functionalities (like creating a topic or reading one).

Please take a look at the error the UI clients returns :

Could not complete DescribeConfigs action: you can try to continue with limited functionality. ClusterAuthorizationException: Cluster authorization failed. Make sure that your user has all access rights (DescribeConsumerGroups, DescribeCluster, DescribeConfigs) for full functionality.

Also take a look at our AWS secret policy JSON file :

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "......",
    "Effect" : "Allow",
    "Principal" : {
      "Service" : "kafka.amazonaws.com"
    },
    "Action" : "secretsmanager:getSecretValue",
    "Resource" : "arn:aws:secretsmanager:eu-west-3...............Z"
  } ]
}

Do we need to modify the ACLs policies directly on the Kafka instance ? How?

Thanks

Themen
Sicherheit, Identität & KonformitätAnalysen
Tags
Sicherheit, Identität & KonformitätAmazon verwaltetes Streaming für Apache Kafka (Amazon MSK)AWS GeheimnismanagerIAM-Richtlinien
Sprache
English
Boris
gefragt vor einem Monat140 Aufrufe
1 Antwort
0

It seems like you've changed allow.everyone.if.no.acl.found to false.

If that's the case, then you won't have access with SCRAM auth method until you enable ACLs. So, you need to run kafka-acls command and add permissions to the user you use to read topics, or write...

For example, you will need to use a user that already has permissions to set up ACLs, alternatively, you can use unauthenticated method, or zookeeper instead of bootstrap servers, so authentication is not checked:

kafka/bin/kafka-acls.sh --bootstrap-server msk:9096 \
  --command-config adminclient-configs.conf \
  --add \
  --allow-principal User:boris \
  --allow-principal User:ed \
  --operation read \
  --operation write \
  --topic my-topic
AWS
EdbE
beantwortet vor einem Monat
profile picture
EXPERTE
Osvaldo Marte
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt