创建 Amazon MSK 复制器的注意事项 - Amazon Managed Streaming for Apache Kafka
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

创建 Amazon MSK 复制器的注意事项

以下各节简要介绍了使用 MSK 复制器功能的先决条件、支持的配置和最佳实践。它涵盖了必要的权限、集群兼容性和 Serverless 特定的要求,以及有关创建后如何管理复制器的指导。

创建 MSK 复制器所需的 IAM 权限

以下是创建 MSK 复制器所需的 IAM policy 示例。只有在创建 MSK 复制器时提供了标签的情况下,才需要执行 kafka:TagResource 操作。应将复制器 IAM 策略附加到与您的客户端对应的 IAM 角色。有关创建授权策略的信息,请参阅 C reate authorization

{ "Version": "2012-10-17", "Statement": [ { "Sid": "MSKReplicatorIAMPassRole", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/MSKReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "kafka.amazonaws.com" } } }, { "Sid": "MSKReplicatorServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::123456789012:role/aws-service-role/kafka.amazonaws.com/AWSServiceRoleForKafka*" }, { "Sid": "MSKReplicatorEC2Actions", "Effect": "Allow", "Action": [ "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0abcd1234ef56789", "arn:aws:ec2:us-east-1:123456789012:security-group/sg-0123abcd4567ef89", "arn:aws:ec2:us-east-1:123456789012:network-interface/eni-0a1b2c3d4e5f67890", "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0a1b2c3d4e5f67890" ] }, { "Sid": "MSKReplicatorActions", "Effect": "Allow", "Action": [ "kafka:CreateReplicator", "kafka:TagResource" ], "Resource": [ "arn:aws:kafka:us-east-1:123456789012:cluster/myCluster/abcd1234-56ef-78gh-90ij-klmnopqrstuv", "arn:aws:kafka:us-east-1:123456789012:replicator/myReplicator/wxyz9876-54vu-32ts-10rq-ponmlkjihgfe" ] } ] }

以下是描述复制器的示例 IAM policy。需要 kafka:DescribeReplicator 操作或 kafka:ListTagsForResource 操作之一即可,而不是两者都需要。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "kafka:DescribeReplicator", "kafka:ListTagsForResource" ], "Resource": "*" } ] }