Kafka ACL with IAM

Question

Does Kafka ACLs work with IAM authentication in MSK Cluster? I see that authorization is dictated by IAM policies, but what role would ACL play and which one would take precedence IAM rule or ACL rule?

Answer

Hi,

Apache Kafka ACLs stored in Apache ZooKeeper for a MSK Cluster have no effect on authorization for IAM roles[1]. When using IAM authentication, authorization for MSK resources(Cluster, topics, etc) is granted by IAM policies, irrespective of the ACLs configured.

Hope it helps.

[1] https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#:~:text=You%20can%20invoke%20Apache%20Kafka%20ACL%20APIs%20for%20an%20MSK%20cluster%20that%20uses%20IAM%20access%20control.%20However%2C%20Apache%20Kafka%20ACLs%20stored%20in%20Apache%20ZooKeeper%20have%20no%20effect%20on%20authorization%20for%20IAM%20roles.%20You%20must%20use%20IAM%20policies%20to%20control%20access%20for%20IAM%20roles.

Kafka ACL with IAM

Contenus pertinents