Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(kinesis): grantRead now allows the ListShards action and grant is now public #6141

Merged
merged 22 commits into from
Apr 8, 2020
Merged

feat(kinesis): grantRead now allows the ListShards action and grant is now public #6141

Show file tree
Hide file tree
Changes from 20 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
eb477c1
Adding listShards grants to read
reillykw Feb 6, 2020
061b04a
Add ListShards to kinesis stream test
reillykw Feb 6, 2020
691f1c4
modified kinesis expected as generated by cdk-integ
reillykw Feb 6, 2020
52cdb49
Merge branch 'master' into kinesis-stream-permissions-list-shards
reillykw Feb 6, 2020
f5adcf7
Added documentation for granting access to stream in README
reillykw Mar 24, 2020
066b6e9
Merge branch 'kinesis-stream-permissions-list-shards' of https://gith…
reillykw Mar 24, 2020
15a1db2
Merge branch 'master' into kinesis-stream-permissions-list-shards
reillykw Mar 24, 2020
8c415ff
Merge branch 'master' into kinesis-stream-permissions-list-shards
reillykw Mar 27, 2020
fcd7ea8
Merge branch 'master' into pr/reillykw/6141
shivlaks Apr 5, 2020
7d582fc
update integ tests
shivlaks Apr 5, 2020
c353d98
update README
shivlaks Apr 5, 2020
d427c0f
update documentation on the grant method
shivlaks Apr 5, 2020
95d1b33
Merge branch 'master' into kinesis-stream-permissions-list-shards
shivlaks Apr 6, 2020
165b7a2
fix eslint errors for usage of double quotes
shivlaks Apr 6, 2020
9363df4
Merge branch 'master' into kinesis-stream-permissions-list-shards
mergify[bot] Apr 6, 2020
4a898b7
update kinesis integ test
shivlaks Apr 6, 2020
eedd36a
updated permissions based on recommendations from Kinesis tream
shivlaks Apr 6, 2020
be01b97
update README
shivlaks Apr 6, 2020
f0b05b8
update grants to include DescribeStreamSummary and SubscribeToShard A…
shivlaks Apr 6, 2020
59dd286
update logs-destinations tests to reflect write permissions
shivlaks Apr 7, 2020
a7c79bc
incorporate PR feedback
shivlaks Apr 8, 2020
4eddd0c
Merge branch 'master' into kinesis-stream-permissions-list-shards
shivlaks Apr 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions packages/@aws-cdk/aws-kinesis/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ intake and aggregation.
- [Streams](#streams)
- [Encryption](#encryption)
- [Import](#import)
- [Permission Grants](#permission-grants)
- [Read Permissions](#read-permissions)
- [Write Permissions](#write-permissions)

## Streams

Expand Down Expand Up @@ -119,3 +122,65 @@ const importedStream = Stream.fromStreamAttributes(
}
);
```

### Permission Grants

IAM roles, users or groups which need to be able to work with Amazon Kinesis streams at runtime will should be granted IAM permissions. Any object that implements the `IGrantable`
interface (has an associated principal) can be granted permissions by calling:

- `grantRead(principal)` - grants the principal read access
- `grantWrite(principal)` - grants the principal write permissions to a Stream
- `grantReadWrite(principal)` - grants principal read and write permissions

#### Read Permissions

Grant `read` access to a stream by calling the `grantRead()` API.
If the stream has an encryption key, read permissions will also be granted to the key.

```ts
const lambdaRole = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
description: 'Example role...',
}

const stream = new Stream(this, 'MyEncryptedStream', {
encryption: StreamEncryption.KMS
});

// give lambda permissions to read stream
stream.grantRead(lambdaRole);
```

The following read permissions are provided to a service principal by the `grantRead()` API:

- `kinesis:DescribeStream`
- `kinesis:DescribeStreamSummary`
- `kinesis:GetRecords`
- `kinesis:GetShardIterator`
- `kinesis:ListShards`
- `kinesis:SubscribeToShard`

#### Write Permissions

Grant `write` permissions to a stream is provided by calling the `grantWrite()` API.
If the stream has an encryption key, write permissions will also be granted to the key.

```ts
const lambdaRole = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
description: 'Example role...',
}

const stream = new Stream(this, 'MyEncryptedStream', {
encryption: StreamEncryption.KMS
});

// give lambda permissions to write to stream
stream.grantWrite(lambdaRole);
```

The following write permissions are provided to a service principal by the `grantWrite()` API:

- `kinesis:ListShards`
- `kinesis:PutRecord`
- `kinesis:PutRecords`
25 changes: 21 additions & 4 deletions packages/@aws-cdk/aws-kinesis/lib/stream.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,14 @@ abstract class StreamBase extends Resource implements IStream {
* contents of the stream will also be granted.
*/
public grantRead(grantee: iam.IGrantable) {
const ret = this.grant(grantee, 'kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator');
const ret = this.grant(
grantee,
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:SubscribeToShard');

if (this.encryptionKey) {
this.encryptionKey.grantDecrypt(grantee);
Expand All @@ -132,7 +139,11 @@ abstract class StreamBase extends Resource implements IStream {
* contents of the stream will also be granted.
*/
public grantWrite(grantee: iam.IGrantable) {
const ret = this.grant(grantee, 'kinesis:DescribeStream', 'kinesis:PutRecord', 'kinesis:PutRecords');
const ret = this.grant(
grantee,
'kinesis:ListShards',
'kinesis:PutRecord',
'kinesis:PutRecords');

if (this.encryptionKey) {
this.encryptionKey.grantEncrypt(grantee);
Expand All @@ -152,10 +163,13 @@ abstract class StreamBase extends Resource implements IStream {
const ret = this.grant(
grantee,
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:PutRecord',
'kinesis:PutRecords');
'kinesis:PutRecords',
'kinesis:SubscribeToShard');

if (this.encryptionKey) {
this.encryptionKey.grantEncryptDecrypt(grantee);
Expand All @@ -164,7 +178,10 @@ abstract class StreamBase extends Resource implements IStream {
return ret;
}

private grant(grantee: iam.IGrantable, ...actions: string[]) {
/**
* Grant the indicated permissions on this stream to the given IAM principal (Role/Group/User).
*/
public grant(grantee: iam.IGrantable, ...actions: string[]) {
return iam.Grant.addToPrincipal({
grantee,
actions,
Expand Down
5 changes: 4 additions & 1 deletion packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,13 @@
{
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:ListShards",
"kinesis:PutRecord",
"kinesis:PutRecords"
"kinesis:PutRecords",
"kinesis:SubscribeToShard"
],
"Effect": "Allow",
"Resource": {
Expand Down
45 changes: 38 additions & 7 deletions packages/@aws-cdk/aws-kinesis/test/test.stream.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -305,7 +305,6 @@ export = {
},

'encryption key cannot be supplied with UNENCRYPTED as the encryption type'(test: Test) {

const stack = new Stack();
const key = new kms.Key(stack, 'myKey');

Expand Down Expand Up @@ -608,7 +607,14 @@ export = {
PolicyDocument: {
Statement: [
{
Action: ['kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator'],
Action: [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:SubscribeToShard'
],
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['MyStream5C050E93', 'Arn']
Expand Down Expand Up @@ -732,7 +738,7 @@ export = {
PolicyDocument: {
Statement: [
{
Action: ['kinesis:DescribeStream', 'kinesis:PutRecord', 'kinesis:PutRecords'],
Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'],
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['MyStream5C050E93', 'Arn']
Expand Down Expand Up @@ -856,7 +862,16 @@ export = {
PolicyDocument: {
Statement: [
{
Action: ['kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:PutRecord', 'kinesis:PutRecords'],
Action: [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:PutRecord',
'kinesis:PutRecords',
'kinesis:SubscribeToShard'
],
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['MyStream5C050E93', 'Arn']
Expand Down Expand Up @@ -924,7 +939,14 @@ export = {
PolicyDocument: {
Statement: [
{
Action: ['kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator'],
Action: [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:SubscribeToShard'
],
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['MyStream5C050E93', 'Arn']
Expand Down Expand Up @@ -1005,7 +1027,7 @@ export = {
PolicyDocument: {
Statement: [
{
Action: ['kinesis:DescribeStream', 'kinesis:PutRecord', 'kinesis:PutRecords'],
Action: ['kinesis:ListShards', 'kinesis:PutRecord', 'kinesis:PutRecords'],
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['MyStream5C050E93', 'Arn']
Expand Down Expand Up @@ -1086,7 +1108,16 @@ export = {
PolicyDocument: {
Statement: [
{
Action: ['kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:PutRecord', 'kinesis:PutRecords'],
Action: [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:PutRecord',
'kinesis:PutRecords',
'kinesis:SubscribeToShard'
],
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['MyStream5C050E93', 'Arn']
Expand Down
5 changes: 4 additions & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,11 @@
{
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
"kinesis:GetShardIterator",
"kinesis:ListShards",
"kinesis:SubscribeToShard"
],
"Effect": "Allow",
"Resource": {
Expand Down
5 changes: 4 additions & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,11 @@
{
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
"kinesis:GetShardIterator",
"kinesis:ListShards",
"kinesis:SubscribeToShard"
],
"Effect": "Allow",
"Resource": {
Expand Down
5 changes: 4 additions & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,11 @@ export = {
{
'Action': [
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:GetRecords',
'kinesis:GetShardIterator'
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:SubscribeToShard'
],
'Effect': 'Allow',
'Resource': {
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-logs-destinations/test/kinesis.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ test('stream can be subscription destination', () => {
Statement: [
{
Action: [
'kinesis:DescribeStream',
'kinesis:ListShards',
'kinesis:PutRecord',
'kinesis:PutRecords',
],
Expand Down Expand Up @@ -122,7 +122,7 @@ test('stream can be subscription destination twice, without duplicating permissi
Statement: [
{
Action: [
'kinesis:DescribeStream',
'kinesis:ListShards',
'kinesis:PutRecord',
'kinesis:PutRecords',
],
Expand Down