Amazon MSK Connect - IAM role

When you create a connector with MSK Connect, you are required to specify an AWS Identity and Access Management (IAM) role to use with it. The service execution role must have the following in the trust relationship policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "kafkaconnect.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "Account-ID"
        },
        "ArnLike": {
          "aws:SourceArn": "MSK-Connector-ARN"
        }
      }
    }   
  ]
}

If the Amazon MSK cluster that you want to use with your connector is a cluster that uses IAM authentication, then you must add the additional permission's policy to the connector's service execution role. Kindly refer to this AWS documentation for the details in regard to permissions policy requirement.

Also, MSK Connect uses the service-linked role named AWSServiceRoleForKafkaConnect, which Allows Amazon MSK Connect to access Amazon resources on your behalf. MSK Connect defines the permissions of its service-linked roles, and unless defined otherwise, only MSK Connect can assume its roles. Kindly refer to this AWS document in regard to details of "Service linked role" used by MSK connect.

You say

"MSK-Connector-ARN"

I don't know what you mean. Can you give an example of what it looks like and where it comes from?