本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 创建 MSK 复制器所需的 IAM 权限
<a name="msk-replicator-create-iam-perms"></a>

调用的 IAM 委托人（用户或角色）`CreateReplicator`需要本节中描述的权限。将此策略附加到与您的客户端对应的 IAM 身份。有关创建授权策略的一般指南，请参阅[创建授权策略](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#create-iam-access-control-policies)。

从下面的**基本政策**开始。如果您还配置了日志传输，请为使用的每个目标附加代码段（请参阅[日志传送的其他权限](msk-replicator-create-iam-perms-logs.md)）。有关自我管理的 Apache Kafka 迁移场景，请参阅中的其他服务执行角色指南。[从非 MSK Apache Kafka 集群迁移到亚马逊 MSK Express 经纪商](msk-replicator-migrate-external.md)

## 基本的 IAM 政策
<a name="msk-replicator-create-iam-perms-base"></a>

将占位符替换为您的账户 ID、 AWS 区域、服务执行角色名称以及源和目标集群 ARN。`kafka:TagResource`只有在创建过程中提供标签时才需要执行此操作。

```
{
    "Version": "2012-10-17", 		 	 	 
    "Statement": [
        {
            "Sid": "MSKReplicatorIAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<accountID>:role/<serviceExecutionRoleName>",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "kafka.amazonaws.com"
                }
            }
        },
        {
            "Sid": "MSKReplicatorServiceLinkedRole",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::<accountID>:role/aws-service-role/kafka.amazonaws.com/AWSServiceRoleForKafka*"
        },
        {
            "Sid": "MSKReplicatorActions",
            "Effect": "Allow",
            "Action": [
                "kafka:CreateReplicator",
                "kafka:DescribeReplicator",
                "kafka:DeleteReplicator",
                "kafka:ListReplicators",
                "kafka:ListTagsForResource",
                "kafka:UpdateReplicationInfo",
                "kafka:TagResource"
            ],
            "Resource": [
                "arn:aws:kafka:<region>:<accountID>:replicator/*"
            ]
        },
        {
            "Sid": "MSKReplicatorListActions",
            "Effect": "Allow",
            "Action": [
                "kafka:ListReplicators"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EC2Actions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "MSKClusterActions",
            "Effect": "Allow",
            "Action": [
                "kafka:GetBootstrapBrokers",
                "kafka:DescribeClusterV2"
            ],
            "Resource": [
                "<sourceClusterArn>",
                "<targetClusterArn>"
            ]
        }
    ]
}
```

**注意**  
`ec2:DescribeSubnets``ec2:DescribeSecurityGroups`、和`ec2:DescribeVpcs`操作不支持资源级权限，因此必须指定。`"Resource": "*"`请参阅 [Amazon EC2 参考的操作、资源和条件密钥](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html)。