From eb477c1d12f0e3e683402cf1b0ea85425c4da7f9 Mon Sep 17 00:00:00 2001 From: Kevin Reilly Date: Wed, 5 Feb 2020 19:31:20 -0700 Subject: [PATCH 01/14] Adding listShards grants to read --- packages/@aws-cdk/aws-kinesis/lib/stream.ts | 8 ++++++-- packages/@aws-cdk/aws-kinesis/test/test.stream.ts | 11 ++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index 3f17bc40d08f9..bbca450d318d8 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -109,7 +109,7 @@ abstract class StreamBase extends Resource implements IStream { * contents of the stream will also be granted. */ public grantRead(grantee: iam.IGrantable) { - const ret = this.grant(grantee, 'kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator'); + const ret = this.grant(grantee, 'kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards'); if (this.encryptionKey) { this.encryptionKey.grantDecrypt(grantee); @@ -148,6 +148,7 @@ abstract class StreamBase extends Resource implements IStream { 'kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', + 'kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'); @@ -158,7 +159,10 @@ abstract class StreamBase extends Resource implements IStream { return ret; } - private grant(grantee: iam.IGrantable, ...actions: string[]) { + /** + * Grant the indicated permissions on this key to the given IAM principal (Role/Group/User). + */ + public grant(grantee: iam.IGrantable, ...actions: string[]) { return iam.Grant.addToPrincipal({ grantee, actions, diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts index f4881997a00c8..fdcca444456c1 100644 --- a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts +++ b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts @@ -372,7 +372,8 @@ export = { "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", - "kinesis:GetShardIterator" + "kinesis:GetShardIterator", + "kinesis:ListShards" ], "Effect": "Allow", "Resource": { @@ -662,6 +663,7 @@ export = { "kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator", + "kinesis:ListShards", "kinesis:PutRecord", "kinesis:PutRecords" ], @@ -734,7 +736,8 @@ export = { "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", - "kinesis:GetShardIterator" + "kinesis:GetShardIterator", + "kinesis:ListShards" ], "Effect": "Allow", "Resource": { @@ -843,6 +846,7 @@ export = { "kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator", + "kinesis:ListShards", "kinesis:PutRecord", "kinesis:PutRecords" ], @@ -921,7 +925,8 @@ export = { "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", - "kinesis:GetShardIterator" + "kinesis:GetShardIterator", + "kinesis:ListShards" ], "Effect": "Allow", "Resource": { From 061b04a49b9b7891397de0254ef3dff9269c4e1e Mon Sep 17 00:00:00 2001 From: Kevin Reilly Date: Wed, 5 Feb 2020 20:17:16 -0700 Subject: [PATCH 02/14] Add ListShards to kinesis stream test --- .../@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts index 53bd8eb3b0c27..7e1704a002ae8 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts @@ -28,7 +28,8 @@ export = { "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", - "kinesis:GetShardIterator" + "kinesis:GetShardIterator", + "kinesis:ListShards" ], "Effect": "Allow", "Resource": { From 691f1c48430679926eb7105073bf2898178e1f7b Mon Sep 17 00:00:00 2001 From: Kevin Reilly Date: Wed, 5 Feb 2020 21:57:36 -0700 Subject: [PATCH 03/14] modified kinesis expected as generated by cdk-integ --- .../test/integ.kinesis.expected.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json index 171153b38f6d0..c469003181992 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json @@ -40,7 +40,8 @@ "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", - "kinesis:GetShardIterator" + "kinesis:GetShardIterator", + "kinesis:ListShards" ], "Effect": "Allow", "Resource": { @@ -105,4 +106,4 @@ } } } -} +} \ No newline at end of file From f5adcf7a006323b550f1650054610233ef3ebc8a Mon Sep 17 00:00:00 2001 From: Kevin Reilly Date: Tue, 24 Mar 2020 13:39:44 -0600 Subject: [PATCH 04/14] Added documentation for granting access to stream in README --- packages/@aws-cdk/aws-kinesis/README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/packages/@aws-cdk/aws-kinesis/README.md b/packages/@aws-cdk/aws-kinesis/README.md index 4b43800ce7632..f7fb145aa64b5 100644 --- a/packages/@aws-cdk/aws-kinesis/README.md +++ b/packages/@aws-cdk/aws-kinesis/README.md @@ -46,3 +46,24 @@ const stream = new Stream(this, 'MyEncryptedStream', { assert(stream.encryptionKey === myKmsKey); ``` + +### Granting IAM Permissions on Stream to Grantable + +Read and Write iam actions can be added to a iam.IGrantable. If the stream has an encryption key attributed, access +to encrypt and/or decrypt with the encryption key will also be added to the grantable. There are three instance methods +available on a Stream object: +*.grantWrite(grantee: iam.IGrantable) +*.grantRead(grantee: iam.IGrantable) +*.grantReadWrite(grantee: iam.IGrantable) +```ts +const grantable = new iam.Role(this, 'Role', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + description: 'Example role...', +} + +const stream = new Stream(this, 'MyEncryptedStream', { + encryption: StreamEncryption.Kms +}); + +stream.grantRead(grantable); +``` From 7d582fc1e3ef62fd99260e08a0fcbf71a58f251a Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Sat, 4 Apr 2020 19:16:06 -0700 Subject: [PATCH 05/14] update integ tests --- .../test/integ.kinesiswithdlq.expected.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json index f524c95bd7f22..396f379e3a337 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json @@ -54,7 +54,8 @@ "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", - "kinesis:GetShardIterator" + "kinesis:GetShardIterator", + "kinesis:ListShards" ], "Effect": "Allow", "Resource": { From c353d984056ad91ff0a9158a3d2bc1da6b7f2de5 Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Sat, 4 Apr 2020 22:11:38 -0700 Subject: [PATCH 06/14] update README --- packages/@aws-cdk/aws-kinesis/README.md | 62 +++++++++++++++++++++---- 1 file changed, 52 insertions(+), 10 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesis/README.md b/packages/@aws-cdk/aws-kinesis/README.md index 4d3108214fae1..bb71e87a3131e 100644 --- a/packages/@aws-cdk/aws-kinesis/README.md +++ b/packages/@aws-cdk/aws-kinesis/README.md @@ -26,6 +26,9 @@ intake and aggregation. - [Streams](#streams) - [Encryption](#encryption) - [Import](#import) + - [Permission Grants](#permission-grants) + - [Read Permissions](#read-permissions) + - [Write Permissions](#write-permissions) ## Streams @@ -120,23 +123,62 @@ const importedStream = Stream.fromStreamAttributes( ); ``` -### Granting IAM Permissions on Stream to Grantable +### Permission Grants + +IAM roles, users or groups which need to be able to work with Amazon Kinesis streams at runtime will should be granted IAM permissions. Any object that implements the `IGrantable` +interface (has an associated principal) can be granted permissions by calling: + +- `grantRead(principal)` - grants the principal read access +- `grantWrite(principal)` - grants the principal write permissions to a Stream +- `grantReadWrite(principal)` - grants principal read and write permissions + +#### Read Permissions + +Grant `read` access to a stream by calling the `grantRead()` API. +If the stream has an encryption key, read permissions will also be granted to the key. + +```ts +const lambdaRole = new iam.Role(this, 'Role', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + description: 'Example role...', +} + +const stream = new Stream(this, 'MyEncryptedStream', { + encryption: StreamEncryption.KMS +}); + +// give lambda permissions to read stream +stream.grantRead(lambdaRole); +``` + +The following read permissions are provided to a service principal by the `grantRead()` API: + +- `kinesis:DescribeStream` +- `kinesis:GetRecords` +- `kinesis:GetShardIterator` +- `kinesis:ListShards` + +#### Write Permissions + +Grant `write` permissions to a stream is provided by calling the `grantWrite()` API. +If the stream has an encryption key, write permissions will also be granted to the key. -Read and Write iam actions can be added to a iam.IGrantable. If the stream has an encryption key attributed, access -to encrypt and/or decrypt with the encryption key will also be added to the grantable. There are three instance methods -available on a Stream object: -*.grantWrite(grantee: iam.IGrantable) -*.grantRead(grantee: iam.IGrantable) -*.grantReadWrite(grantee: iam.IGrantable) ```ts -const grantable = new iam.Role(this, 'Role', { +const lambdaRole = new iam.Role(this, 'Role', { assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), description: 'Example role...', } const stream = new Stream(this, 'MyEncryptedStream', { - encryption: StreamEncryption.Kms + encryption: StreamEncryption.KMS }); -stream.grantRead(grantable); +// give lambda permissions to write to stream +stream.grantWrite(lambdaRole); ``` + +The following write permissions are provided to a service principal by the `grantWrite()` API: + +- `kinesis:DescribeStream` +- `kinesis:PutRecord` +- `kinesis:PutRecords` From d427c0f776d176e0fcef22223ec43fa1890df4d3 Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Sat, 4 Apr 2020 22:13:20 -0700 Subject: [PATCH 07/14] update documentation on the grant method --- packages/@aws-cdk/aws-kinesis/lib/stream.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index 6e3c3e7feb01a..4cd4f2cf426f3 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -166,7 +166,7 @@ abstract class StreamBase extends Resource implements IStream { } /** - * Grant the indicated permissions on this key to the given IAM principal (Role/Group/User). + * Grant the indicated permissions on this stream to the given IAM principal (Role/Group/User). */ public grant(grantee: iam.IGrantable, ...actions: string[]) { return iam.Grant.addToPrincipal({ From 165b7a2b9a578e0c174de21544ddd287757f230b Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Mon, 6 Apr 2020 10:14:55 -0700 Subject: [PATCH 08/14] fix eslint errors for usage of double quotes --- packages/@aws-cdk/aws-kinesis/lib/stream.ts | 14 ++-- .../@aws-cdk/aws-kinesis/test/test.stream.ts | 79 +++++++------------ .../test/test.kinesis.ts | 10 +-- 3 files changed, 40 insertions(+), 63 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index d8f5c1a06e84d..991b0de554e4d 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -150,13 +150,13 @@ abstract class StreamBase extends Resource implements IStream { */ public grantReadWrite(grantee: iam.IGrantable) { const ret = this.grant( - grantee, - 'kinesis:DescribeStream', - 'kinesis:GetRecords', - 'kinesis:GetShardIterator', - 'kinesis:ListShards', - 'kinesis:PutRecord', - 'kinesis:PutRecords'); + grantee, + 'kinesis:DescribeStream', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:ListShards', + 'kinesis:PutRecord', + 'kinesis:PutRecords'); if (this.encryptionKey) { this.encryptionKey.grantEncryptDecrypt(grantee); diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts index e44f7fe97e5c3..23a0c65808936 100644 --- a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts +++ b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts @@ -305,7 +305,6 @@ export = { }, 'encryption key cannot be supplied with UNENCRYPTED as the encryption type'(test: Test) { - const stack = new Stack(); const key = new kms.Key(stack, 'myKey'); @@ -608,18 +607,10 @@ export = { PolicyDocument: { Statement: [ { - "Action": [ - "kinesis:DescribeStream", - "kinesis:GetRecords", - "kinesis:GetShardIterator", - "kinesis:ListShards" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyStream5C050E93", - "Arn" - ] + Action: ['kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards'], + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'] } }, { @@ -864,20 +855,17 @@ export = { PolicyDocument: { Statement: [ { - "Action": [ - "kinesis:DescribeStream", - "kinesis:GetRecords", - "kinesis:GetShardIterator", - "kinesis:ListShards", - "kinesis:PutRecord", - "kinesis:PutRecords" + Action: [ + 'kinesis:DescribeStream', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:ListShards', + 'kinesis:PutRecord', + 'kinesis:PutRecords' ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyStream5C050E93", - "Arn" - ] + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'] } }, { @@ -942,18 +930,10 @@ export = { PolicyDocument: { Statement: [ { - "Action": [ - "kinesis:DescribeStream", - "kinesis:GetRecords", - "kinesis:GetShardIterator", - "kinesis:ListShards" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyStream5C050E93", - "Arn" - ] + Action: ['kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards'], + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'] } } ], @@ -1112,20 +1092,17 @@ export = { PolicyDocument: { Statement: [ { - "Action": [ - "kinesis:DescribeStream", - "kinesis:GetRecords", - "kinesis:GetShardIterator", - "kinesis:ListShards", - "kinesis:PutRecord", - "kinesis:PutRecords" + Action: [ + 'kinesis:DescribeStream', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:ListShards', + 'kinesis:PutRecord', + 'kinesis:PutRecords' ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyStream5C050E93", - "Arn" - ] + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'] } } ], diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts index f235f995224ee..30853f4dcfaef 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts @@ -25,11 +25,11 @@ export = { 'PolicyDocument': { 'Statement': [ { - "Action": [ - "kinesis:DescribeStream", - "kinesis:GetRecords", - "kinesis:GetShardIterator", - "kinesis:ListShards" + 'Action': [ + 'kinesis:DescribeStream', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:ListShards' ], 'Effect': 'Allow', 'Resource': { From 4a898b7eacb1dfffb797fb41fdcca702251af0b2 Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Mon, 6 Apr 2020 13:23:08 -0700 Subject: [PATCH 09/14] update kinesis integ test --- packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json index 1489ca5e34000..ab5e389f2b990 100644 --- a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json +++ b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json @@ -42,6 +42,7 @@ "kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator", + "kinesis:ListShards", "kinesis:PutRecord", "kinesis:PutRecords" ], From eedd36abc63d2504eff729749b239ffe0d70189c Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Mon, 6 Apr 2020 14:51:31 -0700 Subject: [PATCH 10/14] updated permissions based on recommendations from Kinesis tream --- packages/@aws-cdk/aws-kinesis/lib/stream.ts | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index 991b0de554e4d..f7ae84e28a1ed 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -115,7 +115,13 @@ abstract class StreamBase extends Resource implements IStream { * contents of the stream will also be granted. */ public grantRead(grantee: iam.IGrantable) { - const ret = this.grant(grantee, 'kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards'); + const ret = this.grant( + grantee, + 'kinesis:DescribeStreamSummary', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:ListShards', + 'kinesis:SubscribeToShard'); if (this.encryptionKey) { this.encryptionKey.grantDecrypt(grantee); @@ -132,7 +138,11 @@ abstract class StreamBase extends Resource implements IStream { * contents of the stream will also be granted. */ public grantWrite(grantee: iam.IGrantable) { - const ret = this.grant(grantee, 'kinesis:DescribeStream', 'kinesis:PutRecord', 'kinesis:PutRecords'); + const ret = this.grant( + grantee, + 'kinesis:ListShards', + 'kinesis:PutRecord', + 'kinesis:PutRecords'); if (this.encryptionKey) { this.encryptionKey.grantEncrypt(grantee); @@ -151,12 +161,13 @@ abstract class StreamBase extends Resource implements IStream { public grantReadWrite(grantee: iam.IGrantable) { const ret = this.grant( grantee, - 'kinesis:DescribeStream', + 'kinesis:DescribeStreamSummary', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:PutRecord', - 'kinesis:PutRecords'); + 'kinesis:PutRecords', + 'kinesis:SubscribeToShard'); if (this.encryptionKey) { this.encryptionKey.grantEncryptDecrypt(grantee); From be01b979eec679854898c3a68f63aa4b07213a35 Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Mon, 6 Apr 2020 14:51:40 -0700 Subject: [PATCH 11/14] update README --- packages/@aws-cdk/aws-kinesis/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesis/README.md b/packages/@aws-cdk/aws-kinesis/README.md index bb71e87a3131e..d2ed9a9a38199 100644 --- a/packages/@aws-cdk/aws-kinesis/README.md +++ b/packages/@aws-cdk/aws-kinesis/README.md @@ -153,10 +153,11 @@ stream.grantRead(lambdaRole); The following read permissions are provided to a service principal by the `grantRead()` API: -- `kinesis:DescribeStream` +- `kinesis:DescribeStreamSummary` - `kinesis:GetRecords` - `kinesis:GetShardIterator` - `kinesis:ListShards` +- `kinesis:SubscribeToShard` #### Write Permissions @@ -179,6 +180,6 @@ stream.grantWrite(lambdaRole); The following write permissions are provided to a service principal by the `grantWrite()` API: -- `kinesis:DescribeStream` +- `kinesis:ListShards` - `kinesis:PutRecord` - `kinesis:PutRecords` From f0b05b8e0ef09ceee401714b55d72f4cedeac9ce Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Mon, 6 Apr 2020 15:56:42 -0700 Subject: [PATCH 12/14] update grants to include DescribeStreamSummary and SubscribeToShard APIs, writes to include ListShards --- packages/@aws-cdk/aws-kinesis/README.md | 1 + packages/@aws-cdk/aws-kinesis/lib/stream.ts | 2 ++ .../test/integ.stream.expected.json | 4 ++- .../@aws-cdk/aws-kinesis/test/test.stream.ts | 30 +++++++++++++++---- .../test/integ.kinesis.expected.json | 4 ++- .../test/integ.kinesiswithdlq.expected.json | 4 ++- .../test/test.kinesis.ts | 4 ++- 7 files changed, 39 insertions(+), 10 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesis/README.md b/packages/@aws-cdk/aws-kinesis/README.md index d2ed9a9a38199..193f73b513031 100644 --- a/packages/@aws-cdk/aws-kinesis/README.md +++ b/packages/@aws-cdk/aws-kinesis/README.md @@ -153,6 +153,7 @@ stream.grantRead(lambdaRole); The following read permissions are provided to a service principal by the `grantRead()` API: +- `kinesis:DescribeStream` - `kinesis:DescribeStreamSummary` - `kinesis:GetRecords` - `kinesis:GetShardIterator` diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index f7ae84e28a1ed..20b6489737a32 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -117,6 +117,7 @@ abstract class StreamBase extends Resource implements IStream { public grantRead(grantee: iam.IGrantable) { const ret = this.grant( grantee, + 'kinesis:DescribeStream', 'kinesis:DescribeStreamSummary', 'kinesis:GetRecords', 'kinesis:GetShardIterator', @@ -161,6 +162,7 @@ abstract class StreamBase extends Resource implements IStream { public grantReadWrite(grantee: iam.IGrantable) { const ret = this.grant( grantee, + 'kinesis:DescribeStream', 'kinesis:DescribeStreamSummary', 'kinesis:GetRecords', 'kinesis:GetShardIterator', diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json index ab5e389f2b990..52ee8ae503458 100644 --- a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json +++ b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json @@ -40,11 +40,13 @@ { "Action": [ "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", "kinesis:GetRecords", "kinesis:GetShardIterator", "kinesis:ListShards", "kinesis:PutRecord", - "kinesis:PutRecords" + "kinesis:PutRecords", + "kinesis:SubscribeToShard" ], "Effect": "Allow", "Resource": { diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts index 23a0c65808936..f81253dc0096d 100644 --- a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts +++ b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts @@ -607,7 +607,14 @@ export = { PolicyDocument: { Statement: [ { - Action: ['kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards'], + Action: [ + 'kinesis:DescribeStream', + 'kinesis:DescribeStreamSummary', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:ListShards', + 'kinesis:SubscribeToShard' + ], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'] @@ -731,7 +738,7 @@ export = { PolicyDocument: { Statement: [ { - Action: ['kinesis:DescribeStream', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'] @@ -857,11 +864,13 @@ export = { { Action: [ 'kinesis:DescribeStream', + 'kinesis:DescribeStreamSummary', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:PutRecord', - 'kinesis:PutRecords' + 'kinesis:PutRecords', + 'kinesis:SubscribeToShard' ], Effect: 'Allow', Resource: { @@ -930,7 +939,14 @@ export = { PolicyDocument: { Statement: [ { - Action: ['kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards'], + Action: [ + 'kinesis:DescribeStream', + 'kinesis:DescribeStreamSummary', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:ListShards', + 'kinesis:SubscribeToShard' + ], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'] @@ -1011,7 +1027,7 @@ export = { PolicyDocument: { Statement: [ { - Action: ['kinesis:DescribeStream', 'kinesis:PutRecord', 'kinesis:PutRecords'], + Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: { 'Fn::GetAtt': ['MyStream5C050E93', 'Arn'] @@ -1094,11 +1110,13 @@ export = { { Action: [ 'kinesis:DescribeStream', + 'kinesis:DescribeStreamSummary', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:PutRecord', - 'kinesis:PutRecords' + 'kinesis:PutRecords', + 'kinesis:SubscribeToShard' ], Effect: 'Allow', Resource: { diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json index 865d717b54af5..80e11a45e9dea 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json @@ -39,9 +39,11 @@ { "Action": [ "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", "kinesis:GetRecords", "kinesis:GetShardIterator", - "kinesis:ListShards" + "kinesis:ListShards", + "kinesis:SubscribeToShard" ], "Effect": "Allow", "Resource": { diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json index 396f379e3a337..00fedc03e9077 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json @@ -53,9 +53,11 @@ { "Action": [ "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", "kinesis:GetRecords", "kinesis:GetShardIterator", - "kinesis:ListShards" + "kinesis:ListShards", + "kinesis:SubscribeToShard" ], "Effect": "Allow", "Resource": { diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts index 30853f4dcfaef..c62af36d09249 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts @@ -27,9 +27,11 @@ export = { { 'Action': [ 'kinesis:DescribeStream', + 'kinesis:DescribeStreamSummary', 'kinesis:GetRecords', 'kinesis:GetShardIterator', - 'kinesis:ListShards' + 'kinesis:ListShards', + 'kinesis:SubscribeToShard' ], 'Effect': 'Allow', 'Resource': { From 59dd286c229b35f377c3d72578f8eea734a1dcfa Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Mon, 6 Apr 2020 17:02:23 -0700 Subject: [PATCH 13/14] update logs-destinations tests to reflect write permissions --- packages/@aws-cdk/aws-logs-destinations/test/kinesis.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-logs-destinations/test/kinesis.test.ts b/packages/@aws-cdk/aws-logs-destinations/test/kinesis.test.ts index ac7e97a07afd3..08c09563aff38 100644 --- a/packages/@aws-cdk/aws-logs-destinations/test/kinesis.test.ts +++ b/packages/@aws-cdk/aws-logs-destinations/test/kinesis.test.ts @@ -51,7 +51,7 @@ test('stream can be subscription destination', () => { Statement: [ { Action: [ - 'kinesis:DescribeStream', + 'kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords', ], @@ -122,7 +122,7 @@ test('stream can be subscription destination twice, without duplicating permissi Statement: [ { Action: [ - 'kinesis:DescribeStream', + 'kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords', ], From a7c79bcc38ec3cca81e445587cd5fb8242306884 Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Wed, 8 Apr 2020 09:35:39 -0700 Subject: [PATCH 14/14] incorporate PR feedback --- packages/@aws-cdk/aws-kinesis/README.md | 5 ++- packages/@aws-cdk/aws-kinesis/lib/stream.ts | 41 ++++++++----------- .../test/integ.stream.expected.json | 4 +- .../@aws-cdk/aws-kinesis/test/test.stream.ts | 8 ++-- 4 files changed, 27 insertions(+), 31 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesis/README.md b/packages/@aws-cdk/aws-kinesis/README.md index 193f73b513031..7b3c36bacfa7a 100644 --- a/packages/@aws-cdk/aws-kinesis/README.md +++ b/packages/@aws-cdk/aws-kinesis/README.md @@ -125,8 +125,9 @@ const importedStream = Stream.fromStreamAttributes( ### Permission Grants -IAM roles, users or groups which need to be able to work with Amazon Kinesis streams at runtime will should be granted IAM permissions. Any object that implements the `IGrantable` -interface (has an associated principal) can be granted permissions by calling: +IAM roles, users or groups which need to be able to work with Amazon Kinesis streams at runtime should be granted IAM permissions. + +Any object that implements the `IGrantable` interface (has an associated principal) can be granted permissions by calling: - `grantRead(principal)` - grants the principal read access - `grantWrite(principal)` - grants the principal write permissions to a Stream diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index 20b6489737a32..2c755aacef81c 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -4,6 +4,21 @@ import { Aws, CfnCondition, Construct, Duration, Fn, IResource, Resource, Stack import { IResolvable } from 'constructs'; import { CfnStream } from './kinesis.generated'; +const READ_OPERATIONS = [ + 'kinesis:DescribeStream', + 'kinesis:DescribeStreamSummary', + 'kinesis:GetRecords', + 'kinesis:GetShardIterator', + 'kinesis:ListShards', + 'kinesis:SubscribeToShard' +]; + +const WRITE_OPERATIONS = [ + 'kinesis:ListShards', + 'kinesis:PutRecord', + 'kinesis:PutRecords' +]; + /** * A Kinesis Stream */ @@ -115,14 +130,7 @@ abstract class StreamBase extends Resource implements IStream { * contents of the stream will also be granted. */ public grantRead(grantee: iam.IGrantable) { - const ret = this.grant( - grantee, - 'kinesis:DescribeStream', - 'kinesis:DescribeStreamSummary', - 'kinesis:GetRecords', - 'kinesis:GetShardIterator', - 'kinesis:ListShards', - 'kinesis:SubscribeToShard'); + const ret = this.grant(grantee, ...READ_OPERATIONS); if (this.encryptionKey) { this.encryptionKey.grantDecrypt(grantee); @@ -139,11 +147,7 @@ abstract class StreamBase extends Resource implements IStream { * contents of the stream will also be granted. */ public grantWrite(grantee: iam.IGrantable) { - const ret = this.grant( - grantee, - 'kinesis:ListShards', - 'kinesis:PutRecord', - 'kinesis:PutRecords'); + const ret = this.grant(grantee, ...WRITE_OPERATIONS); if (this.encryptionKey) { this.encryptionKey.grantEncrypt(grantee); @@ -160,16 +164,7 @@ abstract class StreamBase extends Resource implements IStream { * encrypt/decrypt will also be granted. */ public grantReadWrite(grantee: iam.IGrantable) { - const ret = this.grant( - grantee, - 'kinesis:DescribeStream', - 'kinesis:DescribeStreamSummary', - 'kinesis:GetRecords', - 'kinesis:GetShardIterator', - 'kinesis:ListShards', - 'kinesis:PutRecord', - 'kinesis:PutRecords', - 'kinesis:SubscribeToShard'); + const ret = this.grant(grantee, ...Array.from(new Set([...READ_OPERATIONS, ...WRITE_OPERATIONS]))); if (this.encryptionKey) { this.encryptionKey.grantEncryptDecrypt(grantee); diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json index 52ee8ae503458..9a9921057f295 100644 --- a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json +++ b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json @@ -44,9 +44,9 @@ "kinesis:GetRecords", "kinesis:GetShardIterator", "kinesis:ListShards", + "kinesis:SubscribeToShard", "kinesis:PutRecord", - "kinesis:PutRecords", - "kinesis:SubscribeToShard" + "kinesis:PutRecords" ], "Effect": "Allow", "Resource": { diff --git a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts index f81253dc0096d..081e1c98fea6a 100644 --- a/packages/@aws-cdk/aws-kinesis/test/test.stream.ts +++ b/packages/@aws-cdk/aws-kinesis/test/test.stream.ts @@ -868,9 +868,9 @@ export = { 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards', + 'kinesis:SubscribeToShard', 'kinesis:PutRecord', - 'kinesis:PutRecords', - 'kinesis:SubscribeToShard' + 'kinesis:PutRecords' ], Effect: 'Allow', Resource: { @@ -1114,9 +1114,9 @@ export = { 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards', + 'kinesis:SubscribeToShard', 'kinesis:PutRecord', - 'kinesis:PutRecords', - 'kinesis:SubscribeToShard' + 'kinesis:PutRecords' ], Effect: 'Allow', Resource: {