0

I want creat a connector for Debezium. I am unable to create a kafka connector using the AWSServiceRoleForKafkaConnect role. Here is the error I get when clicking Create Connector on the last page in the form:

Error creating connector There was a problem creating a connector. If the problem persists, contact AWS Support. API response Invalid parameter serviceExecutionRoleArn: A service linked role ARN cannot be provided as service execution role ARN.

Here is the document which I am following: https://aws.amazon.com/tr/blogs/aws/introducing-amazon-msk-connect-stream-data-to-and-from-your-apache-kafka-clusters-using-managed-connectors/

How Can I fix this problem ? Thanks!

Tolis Gerodimos
  • 3,782
  • 2
  • 7
  • 14
ahmetucan
  • 1
  • 1

2 Answers2

1

I had a similar problem while creating MSK Connector to S3 bucket. You can solve it using instructions from this tutorial: https://docs.aws.amazon.com/msk/latest/developerguide/mkc-tutorial-setup.html

You have to create new IAM Role and edit Trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "kafkaconnect.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Krzysztof Wasilewski
  • 11
  • 1
0

I'm having the same issue in the last few days. I have created Kafka connectors in early Jan and December with no issues using the provided AWSServiceRoleForKafkaConnect role.

I tried creating the new connectors with the same config on the same cluster using the same role that worked before and now I'm also getting the same error:

 Invalid parameter serviceExecutionRoleArn: A service linked role ARN cannot be provided as service execution role ARN.

I think this may be due to an update on the AWS side.

Update from AWS****

Hi there, there were some recent changes made to the use of Service Linked Roles (SLR) as an execution role for Amazon MSK Connect Connectors. SLRs are no longer allowed to be used as the execution role. This may not affect Connectors which do not interact with Amazon MSK clusters or other resources using IAM authentication, but will affect any interaction with IAM controlled resources. It is recommend that all connector execution roles use customer managed roles with Trust Relationships including kafkaconnect.amazonaws.com. See the documentation on Service Execution Roles (1) for more details.

Currently the console allows the selection of an SLR (AWSServiceRoleForKafkaConnect) as the execution role, this will be removed in future updates and should not be used when creating connectors.

(1) https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-service-execution-role.html

lauf
  • 1
  • 1