Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(kinesis): grantRead now allows the ListShards action and grant is now public #6141

Merged
merged 22 commits into from
Apr 8, 2020
Merged

feat(kinesis): grantRead now allows the ListShards action and grant is now public #6141

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
eb477c1
Adding listShards grants to read
reillykw Feb 6, 2020
061b04a
Add ListShards to kinesis stream test
reillykw Feb 6, 2020
691f1c4
modified kinesis expected as generated by cdk-integ
reillykw Feb 6, 2020
52cdb49
Merge branch 'master' into kinesis-stream-permissions-list-shards
reillykw Feb 6, 2020
f5adcf7
Added documentation for granting access to stream in README
reillykw Mar 24, 2020
066b6e9
Merge branch 'kinesis-stream-permissions-list-shards' of https://gith…
reillykw Mar 24, 2020
15a1db2
Merge branch 'master' into kinesis-stream-permissions-list-shards
reillykw Mar 24, 2020
8c415ff
Merge branch 'master' into kinesis-stream-permissions-list-shards
reillykw Mar 27, 2020
fcd7ea8
Merge branch 'master' into pr/reillykw/6141
shivlaks Apr 5, 2020
7d582fc
update integ tests
shivlaks Apr 5, 2020
c353d98
update README
shivlaks Apr 5, 2020
d427c0f
update documentation on the grant method
shivlaks Apr 5, 2020
95d1b33
Merge branch 'master' into kinesis-stream-permissions-list-shards
shivlaks Apr 6, 2020
165b7a2
fix eslint errors for usage of double quotes
shivlaks Apr 6, 2020
9363df4
Merge branch 'master' into kinesis-stream-permissions-list-shards
mergify[bot] Apr 6, 2020
4a898b7
update kinesis integ test
shivlaks Apr 6, 2020
eedd36a
updated permissions based on recommendations from Kinesis tream
shivlaks Apr 6, 2020
be01b97
update README
shivlaks Apr 6, 2020
f0b05b8
update grants to include DescribeStreamSummary and SubscribeToShard A…
shivlaks Apr 6, 2020
59dd286
update logs-destinations tests to reflect write permissions
shivlaks Apr 7, 2020
a7c79bc
incorporate PR feedback
shivlaks Apr 8, 2020
4eddd0c
Merge branch 'master' into kinesis-stream-permissions-list-shards
shivlaks Apr 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions packages/@aws-cdk/aws-kinesis/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,24 @@ const stream = new Stream(this, 'MyEncryptedStream', {

assert(stream.encryptionKey === myKmsKey);
```

### Granting IAM Permissions on Stream to Grantable

Read and Write iam actions can be added to a iam.IGrantable. If the stream has an encryption key attributed, access
to encrypt and/or decrypt with the encryption key will also be added to the grantable. There are three instance methods
available on a Stream object:
*.grantWrite(grantee: iam.IGrantable)
*.grantRead(grantee: iam.IGrantable)
*.grantReadWrite(grantee: iam.IGrantable)
```ts
const grantable = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
description: 'Example role...',
}

const stream = new Stream(this, 'MyEncryptedStream', {
encryption: StreamEncryption.Kms
});

stream.grantRead(grantable);
```
8 changes: 6 additions & 2 deletions packages/@aws-cdk/aws-kinesis/lib/stream.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ abstract class StreamBase extends Resource implements IStream {
* contents of the stream will also be granted.
*/
public grantRead(grantee: iam.IGrantable) {
const ret = this.grant(grantee, 'kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator');
const ret = this.grant(grantee, 'kinesis:DescribeStream', 'kinesis:GetRecords', 'kinesis:GetShardIterator', 'kinesis:ListShards');

if (this.encryptionKey) {
this.encryptionKey.grantDecrypt(grantee);
Expand Down Expand Up @@ -153,6 +153,7 @@ abstract class StreamBase extends Resource implements IStream {
'kinesis:DescribeStream',
'kinesis:GetRecords',
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:PutRecord',
'kinesis:PutRecords');

Expand All @@ -163,7 +164,10 @@ abstract class StreamBase extends Resource implements IStream {
return ret;
}

private grant(grantee: iam.IGrantable, ...actions: string[]) {
/**
* Grant the indicated permissions on this key to the given IAM principal (Role/Group/User).
*/
public grant(grantee: iam.IGrantable, ...actions: string[]) {
return iam.Grant.addToPrincipal({
grantee,
actions,
Expand Down
11 changes: 8 additions & 3 deletions packages/@aws-cdk/aws-kinesis/test/test.stream.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,7 +372,8 @@ export = {
"Action": [
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
"kinesis:GetShardIterator",
"kinesis:ListShards"
],
"Effect": "Allow",
"Resource": {
Expand Down Expand Up @@ -666,6 +667,7 @@ export = {
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:ListShards",
"kinesis:PutRecord",
"kinesis:PutRecords"
],
Expand Down Expand Up @@ -738,7 +740,8 @@ export = {
"Action": [
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
"kinesis:GetShardIterator",
"kinesis:ListShards"
],
"Effect": "Allow",
"Resource": {
Expand Down Expand Up @@ -847,6 +850,7 @@ export = {
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:ListShards",
"kinesis:PutRecord",
"kinesis:PutRecords"
],
Expand Down Expand Up @@ -925,7 +929,8 @@ export = {
"Action": [
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
"kinesis:GetShardIterator",
"kinesis:ListShards"
],
"Effect": "Allow",
"Resource": {
Expand Down
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@
"Action": [
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
"kinesis:GetShardIterator",
"kinesis:ListShards"
],
"Effect": "Allow",
"Resource": {
Expand Down
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/test.kinesis.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ export = {
"Action": [
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
"kinesis:GetShardIterator",
"kinesis:ListShards"
],
"Effect": "Allow",
"Resource": {
Expand Down