MSK没有安全性,当创建从IoT Core到Kafka的规则操作时,它希望我选择安全性,我可以避免这种情况吗?
正如问题所述,当设置MSK时 - 它没有启用安全性,进而导致创建规则本身的问题。
通过AWS GUI创建规则时,必须使用“ get_secret函数”配置操作用户名和密码属性 - 我最初像这样配置了我们的云形式:
IoTCoreToKafkaRule:
Type: AWS::IoT::TopicRule
Properties:
RuleName: !Sub "IoTCoreToKafkaRule"
TopicRulePayload:
Description: Rule to forward MQTT messages to MSK
RuleDisabled: false
AwsIotSqlVersion: "2016-03-23"
Sql: "SELECT encode(*,'base64') AS message, topic() AS topic FROM 'topic/#'"
Actions:
- Kafka:
DestinationArn: !GetAtt TopicRuleVpcDestination.Arn
Topic: "iotcore"
ClientProperties:
'sasl.mechanism': SCRAM-SHA-512
'security.protocol': SASL_SSL
'bootstrap.servers': !Ref BootstrapServers
'sasl.scram.password': "DummyUsername"
'sasl.scram.username': "DummyPassword"
我认为我可以提供“虚拟”值,并且由于MSK没有安全从技术上讲,它将忽略此配置并允许数据通过。现在,我知道有一个案例可以说“如果您删除Bootstrap.servers.servers的所有内容” - 嗯,这会导致问题,我收到了一个clientproperties需要SASL_SSL或SSL配置的错误,就像在AWS GUI中一样。
我有没有办法创建规则,而无需在MSK上启用SASL_SSL或SSL安全性?我是否需要创建一个可以从中汲取的奇数值的秘密,还是有更轻松的解决方案?
As the question states, when the MSK was set up - it had no security enabled, and in turn it's causing issues creating the rule itself.
When creating the rule through the AWS GUI, the action username and password property must be configured using the "get_secret function" - I initially configured our CloudFormation like so:
IoTCoreToKafkaRule:
Type: AWS::IoT::TopicRule
Properties:
RuleName: !Sub "IoTCoreToKafkaRule"
TopicRulePayload:
Description: Rule to forward MQTT messages to MSK
RuleDisabled: false
AwsIotSqlVersion: "2016-03-23"
Sql: "SELECT encode(*,'base64') AS message, topic() AS topic FROM 'topic/#'"
Actions:
- Kafka:
DestinationArn: !GetAtt TopicRuleVpcDestination.Arn
Topic: "iotcore"
ClientProperties:
'sasl.mechanism': SCRAM-SHA-512
'security.protocol': SASL_SSL
'bootstrap.servers': !Ref BootstrapServers
'sasl.scram.password': "DummyUsername"
'sasl.scram.username': "DummyPassword"
I was thinking that I can supply "Dummy" values and since the MSK has no security it would technically ignore this config and let the data through. Now, I understand there is a case to say "what if you remove everything aside from the bootstrap.servers" - well this causes an issue and I receive an error that the ClientProperties need either SASL_SSL or SSL configuration, just like in the AWS GUI.
Is there a way for me to create the rule, without the need for enabling SASL_SSL or SSL security on the MSK? Do I need to create a Secret with any odd values that it can pull from or is there an easier solution?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好的,似乎我如今回答了自己的问题。
好吧,事实证明我在正确的行上,尽管AWS无法选择为Kafka创建规则,如果没有安全性,您可以使用任何用户名/密码创建值秘密经理。
使用此存储库以及上面的代码,加上以$ {get_secret('“”)形式获取密码的添加剂,我能够满足安全价值除了通常的VPC/子网/自举经纪人外,我还不需要满足其他任何价值。
Okay, seems like I answer my own issues these days.
Well it turns out I was on the right lines, although AWS doesn't have the option to create a rule to the Kafka if there is no security, you can create the values with any username/password as long as you retrieve it from a secrets manager.
With the use of this repository and my the code above, plus the addititon of getting the password in the form of ${get_secret("")), I was able to satisfy the values for security, but as far as I know aside from the usual, VPC/Subnet/Bootstrap brokers, I didn't need to satisfy any other value.