AWS MSK connector role configuration

Question

I'm creating a Neo4jSource for kafka on a aws Msk to connect with a Neo4j Cluster on AWS. I have the custom plugin created, but when I start to configure the connector on the tab "Access permissions" in the imput "Identity and Access Management (IAM) role" y have to create an Rol I select the "Custom trust policy" and paste a Json with the custom trust policy. The json is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:Connect",
                "kafka-cluster:DescribeCluster"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXXX:cluster/msk-kafka-cluster-Pro/XXXX"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:ReadData",
                "kafka-cluster:DescribeTopic"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXX:cluster/msk-kafka-cluster-Pro/XXXX/to-mongo-topic"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:WriteData",
                "kafka-cluster:DescribeTopic"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXXX:cluster/msk-kafka-cluster-Pro/e64cdbb3-4f3c-4e80-81e0-b5ff9b1ff6f9-s2/from-neo4j-topic"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:CreateTopic",
                "kafka-cluster:WriteData",
                "kafka-cluster:ReadData",
                "kafka-cluster:DescribeTopic"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXXX:topic/msk-kafka-cluster-Pro/XXXXX/__amazon_msk_connect_*"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kafkaconnect.amazonaws.com"
            },
            "Action": [
                "kafka-cluster:AlterGroup",
                "kafka-cluster:DescribeGroup"
            ],
            "Resource": [
                "arn:aws:kafka:us-east-1:XXXXX:group/msk-kafka-cluster-Pro/XXXXXX/__amazon_msk_connect_*",
                "arn:aws:kafka:us-east-1:XXXXX:group/msk-kafka-cluster-Pro/XXXXX/connect-*"
            ]
        }
    ]
}

With this config, the errors are:

ERROR: Role trust policy syntax error resource: Role trust policies apply to the role that they are attached to. You cannot specify a resource. Remove the Resource or NotResource element.

How can I solve the error? or send me a json template for this purpose

Answer 1

Custom trust policy should have only an STS statement, as MSK Connect as a service will try to assume the role you define. Read more in documentation, but this would be the simple example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "kafkaconnect.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "Account-ID"
        },
        "ArnLike": {
          "aws:SourceArn": "MSK-Connector-ARN"
        }
      }
    }   
  ]
}

As for the actual authorization policies, they need to be defined as permissions policy (defined or inline), not trust.