stackoom
  简体   繁体   中英

What IAM permissions does a Kinesis Consumer need when using KCL?

 原文  2019-11-08 14:41:14       amazon-web-services/ amazon-dynamodb/ amazon-kinesis/ amazon-kcl

Question

I have a Kinesis consumer I wrote using the Kinesis Client Library (KCL). This consumer is running under an assumed IAM role.

I've read from the documentation that:

The KCL creates a DynamoDB table with the application name and uses the table to maintain state information (such as checkpoints and worker-shard mapping) for the application. Each application has its own DynamoDB table. For more information, see Tracking Amazon Kinesis Data Streams Application State.

Sure, I need to add the dynamodb:CreateTable permission to my IAM role. However, I'm getting errors for other things, (eg dynamodb:DescribeTable ).

Is there a list of all DynamoDB operations my KCL consumer needs access to? The documentation seems to be lacking and I'd rather have an authoritative list than keep trying to run my application.

2 answers

solution1
 1  2019-11-18 21:10:51

This should be the set of permissions you need. The table name is provided by the client code, defaults to appName but can be overridden in the ConfigsBuilder :

          - Effect: Allow
            Action:
              - dynamodb:CreateTable
              - dynamodb:DescribeTable
              - dynamodb:Scan
              - dynamodb:PutItem
              - dynamodb:GetItem
              - dynamodb:UpdateItem
              - dynamodb:DeleteItem
            Resource:
              - !Join ["", ["arn:aws:dynamodb:*:", !Ref 'AWS::AccountId', ":table/*"]]

solution2
 1 ACCPTED  2020-11-04 11:50:34

I also had the same issue, was able to resolve issue after setting this policy, there should be a proper permission enabled to access Kinesis also

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:Get*",
                "kinesis:DescribeStream",
                "kinesis:ListShards"
            ],
            "Resource": [
                "arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:ListStreams"
            ],
            "Resource": [
                "arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
            ]
        },
        {
            "Sid": "SpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Resource": "arn:aws:dynamodb:ap-south-1:ACCOUNT_ID:table/TABLE_NAME*"
        }
    ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What happens if the number of workers is > number of shards when using KCL with AWS Kinesis streams? Amazon Kinesis KCL client for Consumer not working in .NET What is the proper 'require' for KCL in a NodeJS consumer application? How to consume records from Kinesis Data Streams using KCL aws KCL(Kinesis Client Library) library is throwing errors when building Is there anyway to determine what IAM permissions I actually need for a CloudFormation template? KCL consumer missing records AWS Kinesis Firehose is not sending data to Elasticsearch…IAM permissions? Disable INFO logs in aws kcl - Kinesis Is KCL for AWS kinesis processing thread safe?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM