本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 建立 MSK Replicator 所需的 IAM 許可
<a name="msk-replicator-create-iam-perms"></a>

呼叫 的 IAM 主體 （使用者或角色） `CreateReplicator`需要本節所述的許可。將此政策連接至與您的用戶端對應的 IAM 身分。如需建立授權政策的一般指引，請參閱[建立授權政策](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#create-iam-access-control-policies)。

從下面的**基本政策**開始。如果您也設定日誌交付，請附加您使用的每個目的地的程式碼片段 （請參閱 [日誌交付的其他許可](msk-replicator-create-iam-perms-logs.md))。如需自我管理的 Apache Kafka 遷移案例，請參閱 中的其他服務執行角色指引[從非 MSK Apache Kafka 叢集遷移至 Amazon MSK Express 代理程式](msk-replicator-migrate-external.md)。

## 基本 IAM 政策
<a name="msk-replicator-create-iam-perms-base"></a>

將預留位置取代為您的帳戶 ID AWS 區域、服務執行角色名稱，以及來源和目標叢集 ARNs。`kafka:TagResource` 只有在您在建立期間提供標籤時，才需要 動作。

```
{
    "Version": "2012-10-17", 		 	 	 
    "Statement": [
        {
            "Sid": "MSKReplicatorIAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<accountID>:role/<serviceExecutionRoleName>",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "kafka.amazonaws.com"
                }
            }
        },
        {
            "Sid": "MSKReplicatorServiceLinkedRole",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::<accountID>:role/aws-service-role/kafka.amazonaws.com/AWSServiceRoleForKafka*"
        },
        {
            "Sid": "MSKReplicatorActions",
            "Effect": "Allow",
            "Action": [
                "kafka:CreateReplicator",
                "kafka:DescribeReplicator",
                "kafka:DeleteReplicator",
                "kafka:ListReplicators",
                "kafka:ListTagsForResource",
                "kafka:UpdateReplicationInfo",
                "kafka:TagResource"
            ],
            "Resource": [
                "arn:aws:kafka:<region>:<accountID>:replicator/*"
            ]
        },
        {
            "Sid": "MSKReplicatorListActions",
            "Effect": "Allow",
            "Action": [
                "kafka:ListReplicators"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EC2Actions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "MSKClusterActions",
            "Effect": "Allow",
            "Action": [
                "kafka:GetBootstrapBrokers",
                "kafka:DescribeClusterV2"
            ],
            "Resource": [
                "<sourceClusterArn>",
                "<targetClusterArn>"
            ]
        }
    ]
}
```

**注意**  
`ec2:DescribeSubnets`、 `ec2:DescribeSecurityGroups`和 `ec2:DescribeVpcs`動作不支援資源層級許可，因此您必須指定 `"Resource": "*"`。請參閱 [Amazon EC2 參考的動作、資源和條件索引鍵](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html)。