Question posted in 
We’re currently building an MSK cluster. We use 2 types of authentication for 2 different clients.
The IAM authentication works fine.
But for the SASL/SCRAM authentication that it’s not the case, we created a secret for username/password connection and linked it to the MSK cluster.
Using our client or with a UI client for windows it’s the same issue we have a connection but with limited functionalities (like creating a topic or reading one).
Please take a look at the error the UI clients returns :
Could not complete DescribeConfigs action: you can try to continue with limited functionality. ClusterAuthorizationException: Cluster authorization failed. Make sure that your user has all access rights (DescribeConsumerGroups, DescribeCluster, DescribeConfigs) for full functionality.
Also take a look at our AWS secret policy JSON file :
{
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "......",
"Effect" : "Allow",
"Principal" : {
"Service" : "kafka.amazonaws.com"
},
"Action" : "secretsmanager:getSecretValue",
"Resource" : "arn:aws:secretsmanager:eu-west-3...............Z"
} ]
}
Do we need to modify the ACLs policies directly on the Kafka instance ? How?
2
Answers
You have to set
allow.everyone.if.no.acl.foundtotruein order to access the cluster without ACLs.If you need to set it to
false, you can list current ACLs, and add new ones using thelist-acls.shcommand in Kafka CLI:https://jaceklaskowski.gitbooks.io/apache-kafka/content/kafka-tools-kafka-acls.html
https://kafka.apache.org/documentation/#security_authz
It seems like you’ve changed
allow.everyone.if.no.acl.foundtofalse.If that’s the case, then you won’t have access with SCRAM auth method until you enable ACLs. So, you need to run kafka-acls command and add permissions to the user you use to read topics, or write…
For example, you will need to use a user that already has permissions to set up ACLs, alternatively, you can use unauthenticated method, or zookeeper instead of bootstrap servers, so authentication is not checked: