AWS MSK 连接器角色配置

问题描述 投票:0回答:1

我正在 aws Msk 上为 kafka 创建一个 Neo4jSource,以连接 AWS 上的 Neo4j 集群。 我创建了自定义插件,但是当我开始在输入“身份和访问管理(IAM)角色”中的“访问权限”选项卡上配置连接器时,必须创建一个 Rol 我选择“自定义信任策略”并粘贴包含自定义信任策略的 Json。 json 是:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:Connect",
                "kafka-cluster:DescribeCluster"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXXX:cluster/msk-kafka-cluster-Pro/XXXX"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:ReadData",
                "kafka-cluster:DescribeTopic"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXX:cluster/msk-kafka-cluster-Pro/XXXX/to-mongo-topic"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:WriteData",
                "kafka-cluster:DescribeTopic"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXXX:cluster/msk-kafka-cluster-Pro/e64cdbb3-4f3c-4e80-81e0-b5ff9b1ff6f9-s2/from-neo4j-topic"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:CreateTopic",
                "kafka-cluster:WriteData",
                "kafka-cluster:ReadData",
                "kafka-cluster:DescribeTopic"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXXX:topic/msk-kafka-cluster-Pro/XXXXX/__amazon_msk_connect_*"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:AlterGroup",
                "kafka-cluster:DescribeGroup"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXXX:group/msk-kafka-cluster-Pro/XXXXXX/__amazon_msk_connect_*",
                "arn:aws:kafka:us-east-1:XXXXX:group/msk-kafka-cluster-Pro/XXXXX/connect-*"
            ]
        }
    ]
}

使用此配置,错误是:

role trust policy sintax error

错误: 角色信任策略语法错误资源:角色信任策略适用于它们附加到的角色。您无法指定资源。删除 Resource 或 NotResource 元素。

如何解决该错误?或者为此目的向我发送 json 模板

amazon-web-services aws-roles aws-msk-connect
1个回答
0
投票

自定义信任策略应仅包含 STS 语句,因为 MSK Connect 即服务将尝试承担您定义的角色。请阅读文档了解更多信息,但这只是一个简单的示例:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "kafkaconnect.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "Account-ID"
        },
        "ArnLike": {
          "aws:SourceArn": "MSK-Connector-ARN"
        }
      }
    }   
  ]
}

至于实际的授权策略,需要定义为权限策略(定义的或内联的),而不是信任。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.