Configuring to point to mks instance

[rajksr]

Issue resolved: after giving more specific kafka-cluster permissions to the policy. https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#create-iam-access-control-policies

I am trying to configure the UI to connect to MKS instance.

XXX.us-west-2.compute.amazonaws.com:8080/ui/clusters/create-new-cluster

I instantiated the AWS marketplace kafka UI instance. It is assigned an IAM role that has permissions to connect to the kafka cluster and I have verified by logging in to the kafka UI instance that it has connectivity to the kafka cluster by way of the IAM role.

On the configuration UI, I have selected
Authentication Method: SASL/AWS IAM
Security Protocol: SASL/SSL
AWS Profile Name: OR default (second try)

When I press "Validate" it says
Kafka Cluster
Error connecting to cluster. See logs for details.

I don't see logs anywhere. I searched everywhere on the kafka UI instance as well.

• edit: figured out the logs situation. "journalctl -u uiForApacheKafka.service | tail -f -n 200" works on the kafka-ui instance.

The security group attached to the publicly accessible kafka cluster gives inbound to 9000-9200 port range from outside.

What am I doing wrong? Do I need to explicitly configure AWS credentials on the kafka UI instance and provide a profile?

• edit: I have tried both using the attached IAM role as well as a manually configured user's aws credentials. Both work as far as awscli is concerned, on the instance. They can describe the kafka cluster.
  -- The error log now says that the SASL Auth failed for 'access denied': Jul 11 16:15:41 XXX.us-west-2.compute.internal java[14828]: org.apache.kafka.common.errors.SaslAuthenticationException: [UUID]: Access denied. So, now it's clear that connectivity is not the issue, but the SASL/IAM config is. Possibly an issue with the attached policy, but it couldn't be because the manually configured user's credentials pertain to an admin user. Is there a policy json someone can share that gives the requisite access to the IAM user that the kafka-ui app is using to connect to the kafka cluster?

[Haarolean]

https://docs.kafka-ui.provectus.io/faq/common-problems#aws-msk-w-iam-access-denied