堆栈内存溢出
  简体   繁体   English

Kinesis 使用者在使用 KCL 时需要哪些 IAM 权限?

[英]What IAM permissions does a Kinesis Consumer need when using KCL?

 原文  2019-11-08 14:41:14       amazon-web-services/ amazon-dynamodb/ amazon-kinesis/ amazon-kcl

问题描述

I have a Kinesis consumer I wrote using the Kinesis Client Library (KCL).我有一个使用 Kinesis Client Library (KCL) 编写的 Kinesis 消费者。 This consumer is running under an assumed IAM role.此使用者在假定的 IAM 角色下运行。

I've read from the documentation that:我从文档中读到:

The KCL creates a DynamoDB table with the application name and uses the table to maintain state information (such as checkpoints and worker-shard mapping) for the application. KCL 使用应用程序名称创建一个 DynamoDB 表,并使用该表来维护应用程序的 state 信息(例如检查点和工作分片映射)。 Each application has its own DynamoDB table.每个应用程序都有自己的 DynamoDB 表。 For more information, see Tracking Amazon Kinesis Data Streams Application State.有关更多信息,请参阅跟踪 Amazon Kinesis Data Streams 应用程序 State。

Sure, I need to add the dynamodb:CreateTable permission to my IAM role.当然,我需要将dynamodb:CreateTable权限添加到我的 IAM 角色。 However, I'm getting errors for other things, (eg dynamodb:DescribeTable ).但是,我在其他方面遇到了错误(例如dynamodb:DescribeTable )。

Is there a list of all DynamoDB operations my KCL consumer needs access to?是否有我的 KCL 使用者需要访问的所有 DynamoDB 操作的列表? The documentation seems to be lacking and I'd rather have an authoritative list than keep trying to run my application.似乎缺少文档,我宁愿拥有一个权威列表,也不愿继续尝试运行我的应用程序。

2 个解决方案

解决方案1
 1  2019-11-18 21:10:51

This should be the set of permissions you need.这应该是您需要的一组权限。 The table name is provided by the client code, defaults to appName but can be overridden in the ConfigsBuilder :表名由客户端代码提供,默认为appName但可以在ConfigsBuilder中覆盖:

          - Effect: Allow
            Action:
              - dynamodb:CreateTable
              - dynamodb:DescribeTable
              - dynamodb:Scan
              - dynamodb:PutItem
              - dynamodb:GetItem
              - dynamodb:UpdateItem
              - dynamodb:DeleteItem
            Resource:
              - !Join ["", ["arn:aws:dynamodb:*:", !Ref 'AWS::AccountId', ":table/*"]]

解决方案2
 1 已采纳  2020-11-04 11:50:34

I also had the same issue, was able to resolve issue after setting this policy, there should be a proper permission enabled to access Kinesis also我也遇到了同样的问题,设置此策略后能够解决问题,还应该启用适当的权限来访问 Kinesis

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:Get*",
                "kinesis:DescribeStream",
                "kinesis:ListShards"
            ],
            "Resource": [
                "arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:ListStreams"
            ],
            "Resource": [
                "arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
            ]
        },
        {
            "Sid": "SpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Resource": "arn:aws:dynamodb:ap-south-1:ACCOUNT_ID:table/TABLE_NAME*"
        }
    ]
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如果使用KCL与AWS Kinesis流时,工作人员数量>分片数会发生什么? - What happens if the number of workers is > number of shards when using KCL with AWS Kinesis streams? 消费者的 Amazon Kinesis KCL 客户端在 .NET 中不工作 - Amazon Kinesis KCL client for Consumer not working in .NET NodeJS使用者应用程序中的KCL正确的“要求”是什么? - What is the proper 'require' for KCL in a NodeJS consumer application? 如何使用 KCL 使用来自 Kinesis Data Streams 的记录 - How to consume records from Kinesis Data Streams using KCL AWS KCL(Kinesis客户端库)库在构建时引发错误 - aws KCL(Kinesis Client Library) library is throwing errors when building 无论如何,是否可以确定 CloudFormation 模板实际需要哪些 IAM 权限? - Is there anyway to determine what IAM permissions I actually need for a CloudFormation template? KCL消费者缺少记录 - KCL consumer missing records AWS Kinesis Firehose 没有向 Elasticsearch 发送数据……IAM 权限? - AWS Kinesis Firehose is not sending data to Elasticsearch…IAM permissions? 在 aws kcl 中禁用 INFO 日志 - Kinesis - Disable INFO logs in aws kcl - Kinesis 适用于AWS kinesis处理线程的KCL安全吗? - Is KCL for AWS kinesis processing thread safe?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM