Creating a User and Granting DMS for Kafka Permissions

This chapter describes how to use Identity and Access Management (IAM) to implement fine-grained permissions control for your Distributed Message Service (DMS) for Kafka resources. With IAM, you can:

Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing DMS for Kafka resources.
Manage permissions on a principle of least permissions (PoLP) basis.
Entrust another account or cloud service to perform efficient O&M on your DMS for Kafka resources.

If your account does not need IAM, skip this section.

This section describes the procedure for granting permissions (see Figure 1).

Prerequisites

Learn about the permissions (see System-defined roles and policies supported by DMS for Kafka) supported by DMS for Kafka and choose policies according to your requirements. For the permissions of other services, see System Permissions.

Process Flow

Figure 1 Process for granting DMS for Kafka permissions
Click to enlarge

Create a user group and assign permissions.
Create a user group on the IAM console, and assign the DMS ReadOnlyAccess policy to the group.
Create an IAM user.
Create a user on the IAM console and add the user to the group created in 1.
Log in and verify permissions.
Log in to the management console as the user you created, and verify that the user has the assigned permissions.
- Choose Service List > Distributed Message Service for Kafka. Then click Buy Instance on the console of DMS for Kafka. If a message appears indicating that you have insufficient permissions to perform the operation, the DMS ReadOnlyAccess policy is in effect.
- Choose Service List > Elastic Volume Service. If a message appears indicating that you have insufficient permissions to access the service, the DMS ReadOnlyAccess policy is in effect.