将 AWS IoT 规则连接到单独 AWS 账户中的 MSK Kafka 实例时出现问题
[英]Issue with connecting AWS IoT Rule to a MSK Kafka instance in a separate AWS account
问题描述
Thank you in advance for any help!
预先感谢您的任何帮助!
My company uses multiple AWS accounts to separate region and "global" functionality/storage.我的公司使用多个 AWS 账户来分隔区域和“全球”功能/存储。 We've recently switched to using MQTT IoT Rules and have run tests with regional Kafka vs a global Kafka instance for how we process data, deciding that a global Kafka makes the most sense.我们最近改用 MQTT IoT 规则,并针对我们处理数据的方式对区域 Kafka 与全球 Kafka 实例进行了测试,确定全球 Kafka 最有意义。
I've been able to properly setup a regional Kafka with the regional IoT pushing data to it (in the same account), but when I tried setting up a global Kafka with the regional IoT pushing data it failed (separate accounts).我已经能够正确设置一个区域 Kafka,并将区域 IoT 推送数据(在同一个帐户中),但是当我尝试设置一个具有区域 IoT 推送数据的全局 Kafka 时,它失败了(单独的帐户)。
The IoT Rule also does not post any errors to Cloudwatch Logs, despite setting up a log group as an error action. IoT 规则也不会将任何错误发布到 Cloudwatch Logs,尽管将日志组设置为错误操作。
We've set everything up to use peer connections and allowing CIDR access to security groups and have many other services running from region to global just fine, but this one is failing us.我们已经设置了一切以使用对等连接并允许 CIDR 访问安全组,并且有许多其他服务从区域到全球运行都很好,但是这个让我们失望了。
I've even been able to create an EC2 instance in the region under the same VPC, Su.net, and Security group as the ones I've assigned to my IoT Rule and it's working just fine to produce and consume from Kafka.我什至能够在与我分配给 IoT 规则的相同 VPC、Su.net 和安全组下的区域中创建一个 EC2 实例,并且它可以很好地从 Kafka 生产和消费。
The only place I can imagine the issue being is with the bootstrap URLs not being accessible inside the region or the secret username/password not having proper access.我唯一能想到的问题是引导程序 URL 在该区域内无法访问,或者秘密用户名/密码无法正确访问。 The secret has been set in the global account.秘密已在全局帐户中设置。 The role that I'm using has been given permission to read that secret in the separate account.我正在使用的角色已获得在单独帐户中读取该机密的权限。
arn:aws:iam::12345:role/TestRole: arn:aws:iam::12345:角色/测试角色:
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:region:9876:secret:AmazonMSK_TestSecret"
}
${get_secret('arn:aws:secretsmanager:region:9876:secret:AmazonMSK_TestSecret', 'SecretString', 'username', 'arn:aws:iam::12345:role/TestRole')}
If anyone is familiar with reading secrets across accounts or using MSK Bootstrap URLs across accounts I'd appreciate some insight.如果有人熟悉跨帐户读取机密或跨帐户使用 MSK Bootstrap URL,我将不胜感激。
2 个解决方案
解决方案1
0 已采纳 2022-11-02 10:50:23
AWS IoT rules supports cross account but only for a limited list of services: Amazon SQS, Amazon SNS, Amazon S3, and AWS Lambda. AWS IoT 规则支持跨账户,但仅适用于有限的服务列表:Amazon SQS、Amazon SNS、Amazon S3 和 AWS Lambda。
You can see this information here .您可以在此处查看此信息。
So in your case, you would have to push data into a SQS queue in the other account and then pull data using Lambda in order to ingest it to MSK.因此,在您的情况下,您必须将数据推送到另一个帐户的 SQS 队列中,然后使用 Lambda 提取数据,以便将其提取到 MSK。
解决方案2
0 2023-01-15 10:10:12
Like mentioned before it's not supported by AWS..就像之前提到的,AWS 不支持它。
We solved it by using MirrorMaker2 by strimzi to replicate events between clusters across account (requires a VPC peering or any kind of.network connectivity solution)我们通过使用 strimzi 的MirrorMaker2在跨帐户的集群之间复制事件来解决它(需要 VPC 对等或任何类型的网络连接解决方案)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.