Amazon Kinesis Data Analytics
Developer Guide

Identity and Access Management in Amazon Kinesis Data Analytics for Java Applications

Amazon Kinesis Data Analytics needs permissions to read records from a streaming source that you specify in your application configuration. Amazon Kinesis Data Analytics also needs permissions to write your application output to sinks that you specify in your application configuration.

You can grant these permissions by creating an IAM role that Amazon Kinesis Data Analytics can assume. Permissions that you grant to this role determine what Amazon Kinesis Data Analytics can do when the service assumes the role.

Note

The information in this section is useful if you want to create an IAM role yourself. When you create an application in the Amazon Kinesis Data Analytics console, the console can create an IAM role for you then. The console uses the following naming convention for IAM roles that it creates:

kinesis-analytics-ApplicationName

After the role is created, you can review the role and attached policies in the AWS Identity and Access Management (IAM) console.

Each IAM role has two policies attached to it. In the trust policy, you specify who can assume the role. In the permissions policy (there can be one or more), you specify the permissions that you want to grant to this role. The following sections describe these policies, which you can use when you create an IAM role.

Trust Policy

To grant Amazon Kinesis Data Analytics permissions to assume a role to access a streaming or reference source, you can attach the following trust policy to an IAM role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "kinesisanalytics.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Permissions Policy

If you are creating an IAM role to allow Amazon Kinesis Data Analytics to read from an application's streaming source, you must grant permissions for relevant read actions. Depending on your source (for example, a Kinesis data stream, a Kinesis Data Firehose delivery stream, or a reference source in an Amazon S3 bucket), you can attach the following permissions policy.

Permissions Policy for Reading a Kinesis Data Stream

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadInputKinesis", "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:GetShardIterator", "kinesis:GetRecords", "kinesis:ListShards" ], "Resource": [ "arn:aws:kinesis:aws-region:aws-account-id:stream/inputStreamName" ] } ] }

Permissions Policy for Writing to a Kinesis Data Stream

{ "Version": "2012-10-17", "Statement": [ { "Sid": "WriteOutputKinesis", "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:PutRecord", "kinesis:PutRecords" ], "Resource": [ "arn:aws:kinesis:aws-region:aws-account-id:stream/output-stream-name" ] } ] }

Permissions Policy for Writing to a Kinesis Data Firehose Delivery Stream

{ "Version": "2012-10-17", "Statement": [ { "Sid": "WriteOutputFirehose", "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": [ "arn:aws:firehose:aws-region:aws-account-id:deliverystream/output-firehose-name" ] } ] }

Permissions Policy for Reading from an Amazon S3 Bucket

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*" } ] }