Stream permissions in QLDB - Amazon Quantum Ledger Database (Amazon QLDB)

Stream permissions in QLDB

Before creating an Amazon QLDB stream, you must provide QLDB with write permissions to your specified Amazon Kinesis Data Streams resource. If you're using a customer managed AWS KMS key for server-side encryption of your Kinesis stream, you must also provide QLDB with permissions to use your specified symmetric key. Kinesis Data Streams doesn't support asymmetric KMS keys.

To provide your QLDB stream with the necessary permissions, you can make QLDB assume an IAM role with the appropriate permissions policies. An IAM role is an IAM identity that you can create in your AWS account that has specific permissions. You can use an IAM role in your account to grant an AWS service permissions to access your account's resources.

Note

To pass a role to QLDB when requesting a journal stream, you must have permissions to perform the iam:PassRole action on the IAM role resource. This is in addition to the qldb:StreamJournalToKinesis permission on the QLDB ledger resource.

To learn how to control access to QLDB using IAM, see How Amazon QLDB works with IAM. For a QLDB policy example, see Identity-based policy examples for Amazon QLDB.

In this example, you create a role that allows QLDB to write data records to a Kinesis data stream on your behalf. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

If you're streaming a QLDB journal in your AWS account for the first time, you must first create an IAM role with the appropriate policies by doing the following. Or, you can use the QLDB console to automatically create the role for you. Otherwise, you can choose a role that you previously created.

Create a permissions policy

Complete the following steps to create a permissions policy for a QLDB stream. This example shows a Kinesis Data Streams policy that grants QLDB permissions to write data records to your specified Kinesis data stream. If applicable, the example also shows a key policy that allows QLDB to use your symmetric KMS key.

For more information about Kinesis Data Streams policies, see Controlling access to Amazon Kinesis Data Streams resources using IAM and Permissions to use user-generated KMS keys in the Amazon Kinesis Data Streams Developer Guide. To learn more about AWS KMS key policies, see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

Note

Your Kinesis data stream and KMS key must both be in the same AWS Region and account as your QLDB ledger.

To use the JSON policy editor to create a policy

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. At the top of the page, choose Create policy.

  4. Choose the JSON tab.

  5. Enter a JSON policy document.

    • If you're using a customer managed KMS key for server-side encryption of your Kinesis stream, use the following example policy document. To use this policy, replace us-east-1, 123456789012, kinesis-stream-name, and 1234abcd-12ab-34cd-56ef-1234567890ab in the example with your own information.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBStreamKinesisPermissions", "Action": [ "kinesis:PutRecord*", "kinesis:DescribeStream", "kinesis:ListShards" ], "Effect": "Allow", "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/kinesis-stream-name" }, { "Sid": "QLDBStreamKMSPermission", "Action": [ "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ] }
    • Otherwise, use the following example policy document. To use this policy, replace us-east-1, 123456789012, and kinesis-stream-name in the example with your own information.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBStreamKinesisPermissions", "Action": [ "kinesis:PutRecord*", "kinesis:DescribeStream", "kinesis:ListShards" ], "Effect": "Allow", "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/kinesis-stream-name" } ] }
  6. Choose Review policy.

    Note

    You can switch between the Visual editor and JSON tabs at any time. However, if you make changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.

  7. On the Review policy page, enter a Name and an optional Description for the policy that you are creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.

Create an IAM role

After creating a permissions policy for your QLDB stream, you can then create an IAM role and attach your policy to it.

To create the service role for an QLDB (IAM console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the IAM console, choose Roles, and then choose Create role.

  3. Choose the AWS service role type, and then choose QLDB.

  4. Choose the QLDB use case. Then choose Next: Permissions.

  5. Select the box next to the policy that you created in the previous steps.

  6. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles.

    Expand the Set permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions boundary or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the procedure Creating IAM policies in the IAM User Guide. After you create the policy, close that tab and return to your original tab to select the policy to use for the permissions boundary.

  7. Choose Next: Tags.

  8. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

  9. Choose Next: Review.

  10. If possible, enter a role name or role name suffix to help you identify the purpose of this role. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because various entities might reference the role, you cannot edit the name of the role after it has been created.

  11. (Optional) For Role description, enter a description for the new role.

  12. Review the role and then choose Create role.

The following JSON document is an example of a trust policy that allows QLDB to assume an IAM role with specific permissions attached to it.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "qldb.amazonaws.com" }, "Action": [ "sts:AssumeRole" ] } ] }

After creating your IAM role, return to the QLDB console and refresh the Create QLDB stream page so that it can find your new role.