使用 KCL 时,Kinesis 消费者需要哪些 IAM 权限?
What IAM permissions does a Kinesis Consumer need when using KCL?
我有一个使用 Kinesis Client Library (KCL) 编写的 Kinesis 使用者。此消费者 运行 正在担任假定的 IAM 角色。
我从 documentation 中了解到:
The KCL creates a DynamoDB table with the application name and uses the table to maintain state information (such as checkpoints and worker-shard mapping) for the application. Each application has its own DynamoDB table. For more information, see Tracking Amazon Kinesis Data Streams Application State.
当然,我需要向我的 IAM 角色添加 dynamodb:CreateTable 权限。但是,我在其他方面遇到错误,(例如 dynamodb:DescribeTable)。
是否有我的 KCL 消费者需要访问的所有 DynamoDB 操作的列表?似乎缺少文档,我宁愿有一个权威列表也不愿继续尝试 运行 我的应用程序。
这应该是您需要的权限集。 table 名称由客户端代码提供,默认为 appName 但可以在 ConfigsBuilder:
中覆盖
- Effect: Allow
Action:
- dynamodb:CreateTable
- dynamodb:DescribeTable
- dynamodb:Scan
- dynamodb:PutItem
- dynamodb:GetItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource:
- !Join ["", ["arn:aws:dynamodb:*:", !Ref 'AWS::AccountId', ":table/*"]]
我也遇到了同样的问题,
设置此策略后能够解决问题,还应该启用适当的权限来访问 Kinesis
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:Get*",
"kinesis:DescribeStream",
"kinesis:ListShards"
],
"Resource": [
"arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams"
],
"Resource": [
"arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
]
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:ap-south-1:ACCOUNT_ID:table/TABLE_NAME*"
}
]
}
我有一个使用 Kinesis Client Library (KCL) 编写的 Kinesis 使用者。此消费者 运行 正在担任假定的 IAM 角色。
我从 documentation 中了解到:
The KCL creates a DynamoDB table with the application name and uses the table to maintain state information (such as checkpoints and worker-shard mapping) for the application. Each application has its own DynamoDB table. For more information, see Tracking Amazon Kinesis Data Streams Application State.
当然,我需要向我的 IAM 角色添加 dynamodb:CreateTable 权限。但是,我在其他方面遇到错误,(例如 dynamodb:DescribeTable)。
是否有我的 KCL 消费者需要访问的所有 DynamoDB 操作的列表?似乎缺少文档,我宁愿有一个权威列表也不愿继续尝试 运行 我的应用程序。
这应该是您需要的权限集。 table 名称由客户端代码提供,默认为 appName 但可以在 ConfigsBuilder:
- Effect: Allow
Action:
- dynamodb:CreateTable
- dynamodb:DescribeTable
- dynamodb:Scan
- dynamodb:PutItem
- dynamodb:GetItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource:
- !Join ["", ["arn:aws:dynamodb:*:", !Ref 'AWS::AccountId', ":table/*"]]
我也遇到了同样的问题, 设置此策略后能够解决问题,还应该启用适当的权限来访问 Kinesis
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:Get*",
"kinesis:DescribeStream",
"kinesis:ListShards"
],
"Resource": [
"arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams"
],
"Resource": [
"arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
]
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:ap-south-1:ACCOUNT_ID:table/TABLE_NAME*"
}
]
}