Using Identity-Based Policies (IAM Policies) for Amazon Kinesis Data Analytics
This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles) and thereby grant permissions to perform operations on Amazon Kinesis Data Analytics resources.
Important
We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your Amazon Kinesis Data Analytics resources. For more information, see Overview of Managing Access Permissions to Your Amazon Kinesis Data Analytics Resources.
Topics
The following shows an example of a permissions policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1473028104000", "Effect": "Allow", "Action": [ "kinesisanalytics:CreateApplication" ], "Resource": [ "*" ] } ] }
The policy has one statement:
-
The first statement grants permissions for one Amazon Kinesis Data Analytics action (
kinesisanalytics:CreateApplication) on a resource using the Amazon Resource Name (ARN) for the application. The ARN in this case specifies a wildcard character (*) to indicate that the permission is granted for any resource.
For a table showing all of the Amazon Kinesis Data Analytics API operations and the resources that they apply to, see Amazon Kinesis Data Analytics API Permissions: Actions, Permissions, and Resources Reference.
Permissions Required to Use the Amazon Kinesis Data Analytics Console
For a user to work with Amazon Kinesis Data Analytics console, you need to grant the requisite permissions. For example, if you want to grant a user permission to create an application, you need to grant permissions that will show the user the streaming sources in the account so that the user can configure input and output in the console.
We recommend the following:
-
Use the AWS managed policies to grant user permissions. For available policies, see AWS Managed (Predefined) Policies for Amazon Kinesis Data Analytics.
-
Create custom policies. In this case, we recommend that you review the example provided in this section. For more information, see Customer Managed Policy Examples.
AWS Managed (Predefined) Policies for Amazon Kinesis Data Analytics
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.
The following AWS managed policies, which you can attach to users in your account, are specific to Amazon Kinesis Data Analytics:
-
AmazonKinesisAnalyticsReadOnly – Grants permissions for Amazon Kinesis Data Analytics actions that enable a user to list Amazon Kinesis Data Analytics applications and review input/output configuration. It also grants permissions that allow a user to view a list of Kinesis streams and Kinesis Data Firehose delivery streams. As the application is running, the user can view source data and real-time analytics results in the console.
-
AmazonKinesisAnalyticsFullAccess – Grants permissions for all Amazon Kinesis Data Analytics actions and all other permissions that allows a user to create and manage Amazon Kinesis Data Analytics applications. However, note the following:
-
These permissions are not sufficient if the user wants to create a new IAM role in the console (these permissions allow the user to select an existing role). If you want the user to be able to create an IAM role in the console, add the
IAMFullAccessAWS managed policy. -
A user must have permission for the
iam:PassRoleaction to specify an IAM role when configuring Amazon Kinesis Data Analytics application. This AWS managed policy grants permission for theiam:PassRoleaction to the user only on the IAM roles that start with the prefixservice-role/kinesis-analytics.If the user wants to configure the Amazon Kinesis Data Analytics application with a role that does not have this prefix, you first need to explicitly grant the user permission for the
iam:PassRoleaction on the specific role.
-
Note
You can review these permissions policies by signing in to the IAM console and searching for specific policies there.
You can also create your own custom IAM policies to allow permissions for Amazon Kinesis Data Analytics actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.
Customer Managed Policy Examples
The examples in this section provide a group of sample policies that you can attach to a user. If you are new to creating policies, we recommend that you first create an IAM user in your account and attach the policies to the user in sequence, as outlined in the steps in this section. You can then use the console to verify the effects of each policy as you attach the policy to the user.
Initially, the user doesn't have permissions and won't be able to do anything in the console. As you attach policies to the user, you can verify that the user can perform various actions in the console.
We recommend that you use two browser windows: one to create the user and grant permissions, and the other to sign in to the AWS Management Console using the user's credentials and verify permissions as you grant them to the user.
For examples that show how to create an IAM role that you can use as an execution role for your Amazon Kinesis Data Analytics application, see Creating IAM Roles in the IAM User Guide.
Example Steps
- Step 1: Create an IAM User
- Step 2: Allow the User Permissions for Actions that Are Not Specific to Amazon Kinesis Data Analytics
- Step 3: Allow the User to View a List of Applications and View Details
- Step 4: Allow the User to Start a Specific Application
- Step 5: Allow the User to Create an Amazon Kinesis Data Analytics Application
- Step 6: Allow the Application to Use Lambda Preprocessing
Step 1: Create an IAM User
First, you need to create an IAM user, add the user to an IAM group with administrative permissions, and then grant administrative permissions to the IAM user that you created. You can then access AWS using a special URL and that IAM user's credentials.
For instructions, see Creating Your First IAM User and Administrators Group in the IAM User Guide.
Step 2: Allow the User Permissions for Actions that Are Not Specific to Amazon Kinesis Data Analytics
First, grant a user permission for all actions that aren't specific to Amazon Kinesis Data Analytics that the user will need when working with Amazon Kinesis Data Analytics applications. These include permissions for working with streams (Amazon Kinesis Data Streams actions, Amazon Kinesis Data Firehose actions), and permissions for CloudWatch actions. Attach the following policy to the user.
You need to update the policy by providing an IAM role name for which you
want to grant the iam:PassRole permission, or specify a wildcard character (*) indicating all IAM
roles. This is not a secure practice; however you might not have a specific IAM role
created during this testing.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kinesis:CreateStream", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:ListStreams", "kinesis:PutRecord", "kinesis:PutRecords" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "*" }, { "Effect": "Allow", "Action": "logs:GetLogEvents", "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:ListPolicyVersions", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/role-name" } ] }
Step 3: Allow the User to View a List of Applications and View Details
The following policy grants a user the following permissions:
-
Permission for the
kinesisanalytics:ListApplicationsaction so the user can view a list of applications. Note that this is a service-level API call, and therefore you specify "*" as the Resource value. -
Permission for the
kinesisanalytics:DescribeApplicationaction so that you can get information about any of the applications.
Add this policy to the user.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kinesisanalytics:ListApplications" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kinesisanalytics:DescribeApplication" ], "Resource": "arn:aws:kinesisanalytics:aws-region:aws-account-id:application/*" } ] }
Verify these permissions by signing into the Amazon Kinesis Data Analytics console using the IAM user credentials.
Step 4: Allow the User to Start a Specific Application
If you want the user to be able to start one of the existing Amazon Kinesis Data Analytics
applications, you attach the following policy to the user, which provides the
permission for kinesisanalytics:StartApplication action. You will
need to update the policy by providing your account ID, AWS Region, and
application name.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kinesisanalytics:StartApplication" ], "Resource": "arn:aws:kinesisanalytics:aws-region:aws-account-id:application/application-name" } ] }
Step 5: Allow the User to Create an Amazon Kinesis Data Analytics Application
Now suppose you want the user to create an Amazon Kinesis Data Analytics application. You can then attach the following policy to the user. You will need to update the policy and provide an AWS Region, your account ID, and either a specific application name that you want the user to create or a "*" so the user can specify any application name (and thus the user can create multiple applications).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1473028104000", "Effect": "Allow", "Action": [ "kinesisanalytics:CreateApplication" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kinesisanalytics:StartApplication", "kinesisanalytics:UpdateApplication", "kinesisanalytics:AddApplicationInput", "kinesisanalytics:AddApplicationOutput" ], "Resource": "arn:aws:kinesisanalytics:aws-region:aws-account-id:application/application-name" } ] }
Step 6: Allow the Application to Use Lambda Preprocessing
If you want the application to be able to use Lambda preprocessing, you can attach the following policy to the role. For more information on Lambda preprocessing, see Preprocessing Data Using a Lambda Function.
{ "Sid": "UseLambdaFunction", "Effect": "Allow", "Action": [ "lambda:InvokeFunction", "lambda:GetFunctionConfiguration" ], "Resource": "<FunctionARN>" }
