Amazon Kinesis Analytics
Developer Guide

Granting Amazon Kinesis Analytics Permissions to Access Streaming Sources (Creating an IAM Role)

Amazon Kinesis Analytics needs permissions to read records from a streaming source that you specify in your application input configuration. Amazon Kinesis Analytics also needs permissions to write your application output to streams that you specify in your application output configuration.

You can grant these permissions by creating an IAM role that Amazon Kinesis Analytics can assume. Permissions that you grant to this role determine what Amazon Kinesis Analytics can do when the service assumes the role.


The information in this section is useful if you want to create an IAM role yourself. When you create an application in the Amazon Kinesis Analytics console, the console can create an IAM role for you at that time. The console uses the following naming convention for IAM roles that it creates:


After the role is created, you can review the role and attached policies in the IAM console.

Each IAM role has two policies attached to it. In the trust policy, you specify who can assume the role. In the permissions policy (there can be one or more), you specify the permissions that you want to grant to this role. The following sections describe these policies, which you can use when you create an IAM role.

Trust Policy

To grant Amazon Kinesis Analytics permissions to assume a role, you can attach the following trust policy to an IAM role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }

Permissions Policy

If you are creating an IAM role to allow Amazon Kinesis Analytics to read from an application's streaming source, you must grant permissions for relevant read actions. Depending on your streaming source (for example, an Kinesis stream or a Kinesis Firehose delivery stream), you can attach the following permissions policy.

Permissions Policy for Reading an Kinesis Stream

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadInputKinesis", "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:GetShardIterator", "kinesis:GetRecords" ], "Resource": [ "arn:aws:kinesis:aws-region:aws-account-id:stream/inputStreamName" ] } ] }

Permissions Policy for Reading a Kinesis Firehose Delivery Stream

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadInputFirehose", "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream", "firehose:Get*" ], "Resource": [ "arn:aws:firehose:aws-region:aws-account-id:deliverystream/inputFirehoseName" ] } ] }

If you direct Amazon Kinesis Analytics to write output to external destinations in your application output configuration, you need to grant the following permission to the IAM role.

Permissions Policy for Writing to an Kinesis Stream

{ "Version": "2012-10-17", "Statement": [ { "Sid": "WriteOutputKinesis", "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:PutRecord", "kinesis:PutRecords" ], "Resource": [ "arn:aws:kinesis:aws-region:aws-account-id:stream/output-stream-name" ] } ] }

Permissions Policy for Writing to a Firehose Delivery Stream

{ "Version": "2012-10-17", "Statement": [ { "Sid": "WriteOutputFirehose", "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": [ "arn:aws:firehose:aws-region:aws-account-id:deliverystream/output-firehose-name" ] } ] }