Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-kinesis] Read permissions to stream don't include kinesis:DescribeStreamConsumer #22184

Closed
2 tasks
adrian-skybaker opened this issue Sep 22, 2022 · 2 comments · Fixed by #22794
Closed
2 tasks

[aws-kinesis] Read permissions to stream don't include kinesis:DescribeStreamConsumer #22184

adrian-skybaker opened this issue Sep 22, 2022 · 2 comments · Fixed by #22794
Labels
@aws-cdk/aws-kinesis Related to Amazon Kinesis feature-request A feature should be added or improved. p1

Comments

@adrian-skybaker
Copy link

adrian-skybaker commented Sep 22, 2022
edited
Loading

Currently granting read permissions to a Kinesis stream doesn't include sufficient permissions for consumers that use fan-out mode. Note that the KCL library uses fan-out out mode by default, you have to opt out of it.

As a result event after using stream.grantRead() you see errors like this in your consumer:

xxx is not authorized to perform: kinesis:DescribeStreamConsumer on resource: arn:aws:kinesis:ap-southeast-2:00000000:stream/my-application/consumer/my-consumer
xxx is not authorized to perform: kinesis:SubscribeToShard on resource: arn:aws:kinesis:ap-southeast-2:00000000:stream/application-logs-adrianbaker/consumer/my-application/consumer/my-consumer:1663667921

The required permissions are outlined at https://docs.aws.amazon.com/streams/latest/dev/tutorial-stock-data-kplkcl2-iam.html, the missing block that currently has to be added by hand is:

{
    "Sid": "Stmt234",
    "Effect": "Allow",
    "Action": [
      "kinesis:SubscribeToShard",
      "kinesis:DescribeStreamConsumer"
    ],
    "Resource": [
      "arn:aws:kinesis:us-west-2:123:stream/StockTradeStream/*"
    ]
},

Use Case

stream.grantRead() should allow a standard consumer using the KCL library with default settings to work without additional IAM policies.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.43.0

Environment details (OS name and version, etc.)

MS-DOS 6.x
@adrian-skybaker adrian-skybaker added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 22, 2022
@github-actions github-actions bot added the @aws-cdk/aws-kinesis Related to Amazon Kinesis label Sep 22, 2022
@Naumel Naumel added p1 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 22, 2022
@adrian-skybaker
Copy link
Author

adrian-skybaker commented Sep 25, 2022
edited
Loading

(edited to include missing kinesis:RegisterStreamConsumer permission)

edit my edit: kinesis:RegisterStreamConsumer is required on the stream itself (eg arn:aws:kinesis:us-west-2:123:stream/StockTradeStream), not the consumer resources underneath (eg `arn:aws:kinesis:us-west-2:123:stream/StockTradeStream/*).

watany-dev added a commit to watany-dev/aws-cdk that referenced this issue Nov 1, 2022
@watany-dev
aws#22184 fix(kinesis):Re ad permissions to stream doclude kinesis:De…
a1302fc 
…scribeStreamConsumer
This was referenced Nov 1, 2022
Closed
Merged
@otaviomacedo otaviomacedo removed their assignment Nov 18, 2022
@mergify mergify bot closed this as completed in #22794 Nov 25, 2022
mergify bot pushed a commit that referenced this issue Nov 25, 2022
@watany-dev
fix(kinesis): read permissions for stream do not include `kinesis:Des…
e53352d 
…cribeStreamConsumer` (#22794)

reopen [22727](#22727)
 
Grant Read(Write) Permission Action

"kinesis:DescribeStreamConsumer"
It appears that the following actions had already been added

"kinesis:SubscribeToShard",
ref. https://docs.aws.amazon.com/streams/latest/dev/tutorial-stock-data-kplkcl2-iam.html

Fixes #22184

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-kinesis Related to Amazon Kinesis feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
3 participants
@otaviomacedo @adrian-skybaker @Naumel