Skip to main content
can stream change data to Amazon MSK clusters (Amazon Managed Streaming for Apache Kafka) using AWS IAM roles or authentication to connect to the MSK cluster. In this tutorial, you’ll set up an MSK cluster and connect a changefeed with either IAM or SCRAM authentication:
  • For , you’ll create the MSK cluster with an IAM policy and role. CockroachDB and a Kafka client will assume the IAM role in order to connect to the MSK cluster. Then, you’ll set up the Kafka client to consume the changefeed messages and start the changefeed on the CockroachDB cluster.
  • For , you’ll create the MSK cluster and then store your SCRAM credentials in AWS Secrets Manager. You’ll set up the Kafka client configuration and consume the changefeed messages from the CockroachDB cluster.
CockroachDB changefeeds also support IAM authentication to MSK Serverless clusters. For a setup guide, refer to .

Before you begin

You’ll need:
  • An AWS account.
  • A CockroachDB self-hosted cluster hosted on AWS. You can set up a cluster using . You must create instances in the same VPC that the MSK cluster will use in order for the changefeed to authenticate successfully.
  • A Kafka client to consume the changefeed messages. You must ensure that your client machine is in the same VPC as the MSK cluster. This tutorial uses a client set up following the AWS MSK guide.
  • The CHANGEFEED privilege in order to create and manage changefeed jobs. Refer to for more details.
You can stream a changefeed to a public IP MSK endpoint from any CockroachDB cluster. If you would like to connect a changefeed running on a CockroachDB Advanced cluster to an Amazon MSK Serverless cluster over AWS PrivateLink, contact your Cockroach Labs account team. Select the authentication method that you’ll use to connect the changefeed to your MSK cluster:

Step 1. Create an MSK cluster with IAM authentication

  1. In the AWS Management Console, go to the Amazon MSK console and click Create cluster.
  2. Select Custom create, name the cluster, and select Provisioned as the cluster type. Click Next.
  3. Select the VPC for the MSK cluster with the subnets and security group. The VPC selection is important because the MSK cluster must be in the same VPC as the CockroachDB instance and Kafka client machine. Click Next.
  4. Under Access control methods select IAM role-based authentication. Click Next.
  5. Continue to select the required configuration options for your cluster. Click Next.
  6. Review the cluster details, and then click Create cluster.
  7. Once the cluster is running, click View client information in the Cluster summary box. Copy the endpoint addresses, which will be similar to b-1.msk-cluster_name.1a2b3c.c4.kafka.us-east-1.amazonaws.com:9098,b-2.msk-cluster_name.1a2b3c.c4.kafka.us-east-1.amazonaws.com:9098,b-3.msk-cluster_name.1a2b3c.c4.kafka.us-east-1.amazonaws.com:9098. Click Done to return to the cluster’s overview page.

Step 2. Create an IAM policy and role to access the MSK cluster

In this step, you’ll create an IAM policy that contains the permissions to interact with the MSK cluster. Then, you’ll create an IAM role, which you’ll associate with the IAM policy. In a later step, both the CockroachDB cluster and Kafka client machine will use this role to work with the MSK cluster.
  1. In the AWS Management Console, go to the IAM console, select Policies from the navigation, and then Create Policy.
  2. Using the JSON tab option, update the policy with the following JSON. These permissions will allow you to connect to the cluster, manage topics, and consume messages. You may want to adjust the permissions to suit your permission model. For more details on the available permissions, refer to the AWS documentation on IAM Access Control for MSK. Replace the instances of arn:aws:kafka:{region}:{account ID}:cluster/{msk-cluster-name} with the MSK ARN from your cluster’s summary page and add /* to the end, like the following:
  3. Once you have added your policy, add a policy name (for example, msk-policy), click Next, and Create policy.
  4. Return to the IAM console, select Roles from the navigation, and then Create role.
  5. Select AWS service for the Trusted entity type. For Use case, select EC2 from the dropdown. Click Next.
  6. On the Add permissions page, search for the IAM policy (msk-policy) you just created. Click Next.
  7. Name the role (for example, msk-role) and click Create role.

Step 3. Set up the CockroachDB cluster role

In this step, you’ll create a role, which contains the sts:AssumeRole permission, for the EC2 instance that is running your CockroachDB cluster. The sts:AssumeRole permission will allow the EC2 instance to obtain temporary security credentials to access the MSK cluster according to the msk-policy permissions. To achieve this, you’ll add the EC2 role to the trust relationship of the msk-role you created in the previous step.
  1. Navigate to the IAM console, select Roles from the navigation, and then Create role.
  2. Select AWS service for the Trusted entity type. For Use case, select EC2 from the dropdown. Click Next.
  3. On the Add permissions page, click Next.
  4. Name the role (for example, ec2-role ) and click Create role.
  5. Once the role has finished creating, copy the ARN in the Summary section. Click on the Trust relationships tab. You’ll find a Trusted entities policy:
  6. Navigate to the IAM console and search for the role (msk-role) you created in Step 2 that contains the MSK policy. Select the role, which will take you to its summary page.
  7. Click on the Trust relationships tab, and click Edit trust policy. Add the ARN of the EC2 IAM role (ec2-role) to the JSON policy:
    Once you’ve updated the policy, click Update policy.

Step 4. Connect the client to the MSK cluster

In this step, you’ll prepare the client to connect to the MSK cluster, create a Kafka topic, and consume messages that the changefeed sends.
  1. Ensure that your client can connect to the MSK cluster. This tutorial uses an EC2 instance running Kafka as the client. Navigate to the summary page for the client EC2 instance. Click on the Actions dropdown. Click Security, and then select Modify IAM role.
  2. On the Modify IAM role page, select the role you created for the MSK cluster ( msk-role ) that contains the policy created in Step 2. Click Update IAM role.
  3. Open a terminal and connect to your Kafka client. Check that the client.properties file in your Kafka installation contains the correct SASL and security configuration, like the following:
    If you need further detail on setting up the Kafka client, refer to the AWS setup guide.
  4. Move to the directory of your Kafka installation:
  5. To create a topic, run the following:
    Replace:
    • with your endpoint copied in Step 1.
    • with your topic name. This tutorial will use the CockroachDB movr workload and will run a changefeed on the movr.users table.
    • with the number of partitions you require.
    • with the replication you require. You will receive confirmation output:

Step 5. Start the changefeed

In this step, you’ll prepare your CockroachDB cluster to start the changefeed.
  1. (Optional) On the EC2 instance running CockroachDB, run the application workload to set up some data for your changefeed. Create the schema for the workload:
    Then run the workload:
  2. Start a SQL session. For details on the available flags, refer to the page.
  3. Enable the kv.rangefeed.enabled :
  4. To connect the changefeed to the MSK cluster, the URI must contain the following parameters:
    • An MSK cluster endpoint prefixed with the kafka:// scheme, for example: kafka://b-1.msk-cluster_name.1a2b3c.c4.kafka.us-east-1.amazonaws.com:9098.
    • tls_enabled set to true.
    • sasl_enabled set to true.
    • sasl_mechanism set to AWS_MSK_IAM.
    • sasl_aws_region set to the region of the MSK cluster.
    • sasl_aws_iam_role_arn set to the ARN for the IAM role ( msk-role ) that has the permissions outlined in Step 2.
    • sasl_aws_iam_session_name set to a string that you specify to identify the session in AWS.
      You can either specify the Kafka URI in the CREATE CHANGEFEED statement directly. Or, create an for the MSK URI. External connections define a name for an external connection while passing the provider URI and query parameters:
  5. Use the statement to start the changefeed using either the external connection (external://) or full kafka:// URI:
    To view a changefeed job, use .

Step 6. Consume the changefeed messages on the client

  1. Return to the terminal that is running the Kafka client. Move to the Kafka installation directory:
  2. Run the following command to start a consumer. Set --topic to the topic you created:

See also

For more resources, refer to the following:
  • page for details on parameters that sinks support.
  • for details on monitoring the changefeed job.