Background
We are planning to enhance secure access for the IAM assumeRole functionality by migrating our AWS Kubernetes clusters to use EKS Pod Identity. This new feature, recently released by AWS, simplifies how cluster administrators can configure Kubernetes applications to obtain AWS IAM permissions. For more details, refer to the AWS announcement.
Impacted Connectors
- Amazon S3 Sink Connector
- DynamoDbCdcSource connectors
Customer Information
Before we can proceed with this changes, customers using AWS IAM Assume role for authentication in S3Sink/DynamoDbCdcSource connectors need to update the trust policy of their IAM role. Failure to do so will result in the existing connectors running on IAM getting failed with AccessDenied errors.
Required Action
Change required -
Add a new statement for TagSession in their trust policy. Below is the required policy update (replace the value of “Principal:ARN” field with the confluent role ARN provided while creating the provider integration):
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:role/confluent-aws-role"
},
"Action": "sts:TagSession"
}
For detailed steps on managing provider integration, please refer to the Confluent Documentation. Please ensure that the above changes are implemented to avoid any disruption in your service.
Additional Information:
- The changes apply exclusively to fully managed connectors and do not affect self-managed connectors.