Service-linked role permissions for Amazon MSK
Amazon MSK uses the service-linked role named AWSServiceRoleForKafka. Amazon MSK uses this role to access your resources and perform operations such as:
-
*NetworkInterface
– create and manage network interfaces in the customer account that make cluster brokers accessible to clients in the customer VPC. -
*VpcEndpoints
– manage VPC endpoints in the customer account that make cluster brokers accessible to clients in the customer VPC using AWS PrivateLink. Amazon MSK uses permissions toDescribeVpcEndpoints
,ModifyVpcEndpoint
andDeleteVpcEndpoints
. -
secretsmanager
– manage client credentials with AWS Secrets Manager. -
GetCertificateAuthorityCertificate
– retrieve the certificate for your private certificate authority.
This service-linked role is attached to the following managed policy:
KafkaServiceRolePolicy
. For updates to this policy, see KafkaServiceRolePolicy.
The AWSServiceRoleForKafka service-linked role trusts the following services to assume the role:
-
kafka.amazonaws.com
The role permissions policy allows Amazon MSK to complete the following actions on resources.
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.