MSK

AWS IAM Integration

Kpow supports IAM Access Control for AWS MSK.

Simply set your Kpow connection fields appropriately, e.g.

SSL_TRUSTSTORE_LOCATION=<PATH_TO_TRUST_STORE_FILE>
SECURITY_PROTOCOL=SASL_SSL
SASL_MECHANISM=AWS_MSK_IAM
SASL_JAAS_CONFIG=software.amazon.msk.auth.iam.IAMLoginModule required;
SASL_CLIENT_CALLBACK_HANDLER_CLASS=software.amazon.msk.auth.iam.IAMClientCallbackHandler

See the AWS documentation for more information, including JAAS config for named profiles.

Example IAM policy for Kpow

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kafka-cluster:*"
            ],
            "Resource": "arn:aws:kafka:<REGION>:cluster/<CLUSTER-NAME>/<GUID>"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kafka-cluster:*Topic*",
                "kafka-cluster:WriteData",
                "kafka-cluster:ReadData"
            ],
            "Resource": "arn:aws:kafka:<REGION>:topic/<CLUSTER-NAME>/<GUID>/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kafka-cluster:AlterGroup",
                "kafka-cluster:DescribeGroup"
            ],
            "Resource": "arn:aws:<REGION>:group/<CLUSTER-NAME>/<GUID>/*"
        }
    ]
}

MSK Serverless

To configure Kpow to run on an MSK Serverless cluster, the following configuration is recommended:

CLUSTER_ID=your-msk-serverless-arn
KAFKA_VARIANT=MSK_SERVERLESS
NUM_PARTITIONS=1
SECURITY_PROTOCOL=SASL_SSL
SASL_MECHANISM=AWS_MSK_IAM
SASL_JAAS_CONFIG=software.amazon.msk.auth.iam.IAMLoginModule required;
SASL_CLIENT_CALLBACK_HANDLER_CLASS=software.amazon.msk.auth.iam.IAMClientCallbackHandler

KAFKA_VARIANT will create Kpow's internal topics with the constrained topic configuration properties and limitations.

CLUSTER_ID needs to be set to something unique as MSK's desribeCluster does not return an ID.

It is also recommended to set the environment variable NUM_PARTITIONS=1 to overcome MSK's limitation on maximum number of partitions (120).

Limitations

The following functionality will be impacted due MSK's own limitations:

  • Kpow's internal audit log topic will only have a retention of 1 day
  • Broker disk metrics are not available in MSK serverless

MSK Connect

Kpow supports integration with Amazon MSK Connect.

See the MSK Connect configuration guide for more information.