diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index b2fed1eb10329..8cc08fa70bfdc 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -12,6 +12,8 @@ const READ_OPERATIONS = [ 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', ]; const WRITE_OPERATIONS = [ diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json index 15055271413a2..41230acc599a2 100644 --- a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json +++ b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json @@ -44,6 +44,8 @@ "kinesis:GetShardIterator", "kinesis:ListShards", "kinesis:SubscribeToShard", + "kinesis:DescribeStream", + "kinesis:ListStreams", "kinesis:PutRecord", "kinesis:PutRecords" ], diff --git a/packages/@aws-cdk/aws-kinesis/test/stream.test.ts b/packages/@aws-cdk/aws-kinesis/test/stream.test.ts index 089261c6ebdae..dee29db89d384 100644 --- a/packages/@aws-cdk/aws-kinesis/test/stream.test.ts +++ b/packages/@aws-cdk/aws-kinesis/test/stream.test.ts @@ -503,6 +503,8 @@ describe('Kinesis data streams', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', ], Effect: 'Allow', Resource: { @@ -811,6 +813,8 @@ describe('Kinesis data streams', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', 'kinesis:PutRecord', 'kinesis:PutRecords', ], @@ -884,6 +888,8 @@ describe('Kinesis data streams', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', ], Effect: 'Allow', Resource: { @@ -1050,6 +1056,8 @@ describe('Kinesis data streams', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', 'kinesis:PutRecord', 'kinesis:PutRecords', ], diff --git a/packages/@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts b/packages/@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts index 7dfaed8eb384b..35230fc284bd9 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts +++ b/packages/@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts @@ -358,13 +358,6 @@ export class DeliveryStream extends DeliveryStreamBase { roleArn: role.roleArn, } : undefined; const readStreamGrant = props.sourceStream?.grantRead(role); - /* - * Firehose still uses the deprecated DescribeStream API instead of the modern DescribeStreamSummary API. - * kinesis.IStream.grantRead does not provide DescribeStream permissions so we add it manually here. - */ - if (readStreamGrant && readStreamGrant.principalStatement) { - readStreamGrant.principalStatement.addActions('kinesis:DescribeStream'); - } const destinationConfig = props.destinations[0].bind(this, {}); diff --git a/packages/@aws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.expected.json b/packages/@aws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.expected.json index eb46541a1cdf2..896d0487a091c 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.expected.json +++ b/packages/@aws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.expected.json @@ -119,7 +119,8 @@ "kinesis:GetShardIterator", "kinesis:ListShards", "kinesis:SubscribeToShard", - "kinesis:DescribeStream" + "kinesis:DescribeStream", + "kinesis:ListStreams" ], "Effect": "Allow", "Resource": { diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json index aafb84ca19c72..c1690f2f03aac 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json @@ -42,7 +42,9 @@ "kinesis:GetRecords", "kinesis:GetShardIterator", "kinesis:ListShards", - "kinesis:SubscribeToShard" + "kinesis:SubscribeToShard", + "kinesis:DescribeStream", + "kinesis:ListStreams" ], "Effect": "Allow", "Resource": { diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json index 4d0a6c1a54707..616adaef6a86a 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json @@ -56,7 +56,9 @@ "kinesis:GetRecords", "kinesis:GetShardIterator", "kinesis:ListShards", - "kinesis:SubscribeToShard" + "kinesis:SubscribeToShard", + "kinesis:DescribeStream", + "kinesis:ListStreams" ], "Effect": "Allow", "Resource": { diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts index 96701d6c83f7a..e77fec71e5079 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts @@ -30,6 +30,8 @@ describe('KinesisEventSource', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', ], 'Effect': 'Allow', 'Resource': {