# AWS MSK

{% hint style="success" %}
Only one Kafka connection is allowed.

The name must be kafka.

See [JSON schema](https://docs.lenses.io/latest/deployment/configuration/overview#json-schema-support) for support.

Environment variables are supported; escape the dollar sign

```yaml
sslKeystorePassword:
  # In case environment variable has single or double quotes escape it with 
  ## "\${ENV_VAR_NAME}
  value: "${ENV_VAR_NAME}"
```

{% endhint %}

It is recommended to install the Agent on an EC2 instance or with EKS in the same VPC as your MSK cluster. The Agent can be installed and preconfigured via the[ AWS Marketplace](https://docs.lenses.io/latest/deployment/configuration/agent/automation/kafka/aws-msk).

## Open network connectivity

Edit the AWS MSK security group in the AWS Console and add the IP address of your Agent installation.

<figure><img src="https://3629020462-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoxgTiTb4MZT9IGHAYUTn%2Fuploads%2Fgit-blob-a6a412b7b1b05d57e2a048dbcb77a84a31dad2ee%2Faws-msk-network.png?alt=media" alt=""><figcaption><p>MSK Security group</p></figcaption></figure>

## Enable Open Monitoring

If you want to have the Agent collect JMX metrics you have to enable Open Monitoring on your MSK cluster. Follow the AWS guide[ here](https://docs.aws.amazon.com/msk/latest/developerguide/monitoring.html#enable-open-monitoring-after-creation).

## Select your MSK endpoint

Depending on your MSK cluster, select the endpoint and protocol you want to connect with.

{% hint style="warning" %}
It is not recommended to use Plaintext for secure environments. For these environments use TLS or IAM.
{% endhint %}

<figure><img src="https://3629020462-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoxgTiTb4MZT9IGHAYUTn%2Fuploads%2Fgit-blob-c80f3d63ad62fba8a4156467c3a071a8c5caa52c%2Faws-msk-endpoint.png?alt=media" alt=""><figcaption></figcaption></figure>

When the Agent is running inside AWS and is connecting to an Amazon’s Managed Kafka (MSK) instance, IAM can be used for authentication.

## Configure Provisioning

{% code title="provisioning.yaml" %}

```yaml
kafka:
- name: kafka
  version: 1
  tags: ["optional-tag"]
  configuration:
    kafkaBootstrapServers:
      value:
       - SASL_SSL://your.kafka.broker.0:9098
       - SASL_SSL://your.kafka.broker.1:9098
    protocol: 
      value: SASL_SSL
    saslMechanism: 
      value: AWS_MSK_IAM
    saslJaasConfig:
      value: software.amazon.msk.auth.iam.IAMLoginModule required;
    additionalProperties:
      value:
        sasl.client.callback.handler.class: "software.amazon.msk.auth.iam.IAMClientCallbackHandler"
    metricsType:
      value: AWS
```

{% endcode %}