Create a Amazon MSK cluster that supports client authentication

This procedure shows you how to enable client authentication using a Amazon Private CA.

Note

We highly recommend using independent Amazon Private CA for each MSK cluster when you use mutual TLS to control access. Doing so will ensure that TLS certificates signed by PCAs only authenticate with a single MSK cluster.

Create a file named clientauthinfo.json with the following contents. Replace Private-CA-ARN with the ARN of your PCA.
```
{
   "Tls": {
       "CertificateAuthorityArnList": ["Private-CA-ARN"]
    }
}
```
Create a file named brokernodegroupinfo.json as described in Create a provisioned Amazon MSK cluster using the Amazon CLI.
Client authentication requires that you also enable encryption in transit between clients and brokers. Create a file named encryptioninfo.json with the following contents. Replace KMS-Key-ARN with the ARN of your KMS key. You can set ClientBroker to TLS or TLS_PLAINTEXT.
```
{
   "EncryptionAtRest": {
       "DataVolumeKMSKeyId": "KMS-Key-ARN"
    },
   "EncryptionInTransit": {
        "InCluster": true,
        "ClientBroker": "TLS"
    }
}
```
For more information about encryption, see Amazon MSK encryption.

On a machine where you have the Amazon CLI installed, run the following command to create a cluster with authentication and in-transit encryption enabled. Save the cluster ARN provided in the response.


aws kafka create-cluster --cluster-name "AuthenticationTest" --broker-node-group-info file://brokernodegroupinfo.json --encryption-info file://encryptioninfo.json --client-authentication file://clientauthinfo.json --kafka-version "{YOUR KAFKA VERSION}" --number-of-broker-nodes 3

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Mutual TLS authentication

Set up a client to use authentication