I have a Kinesis consumer I wrote using the Kinesis Client Library (KCL). This consumer is running under an assumed IAM role.
I've read from the documentation that:
The KCL creates a DynamoDB table with the application name and uses the table to maintain state information (such as checkpoints and worker-shard mapping) for the application. Each application has its own DynamoDB table. For more information, see Tracking Amazon Kinesis Data Streams Application State.
Sure, I need to add the dynamodb:CreateTable
permission to my IAM role. However, I'm getting errors for other things, (e.g. dynamodb:DescribeTable
).
Is there a list of all DynamoDB operations my KCL consumer needs access to? The documentation seems to be lacking and I'd rather have an authoritative list than keep trying to run my application.
I also had the same issue, was able to resolve issue after setting this policy, there should be a proper permission enabled to access Kinesis also
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:Get*",
"kinesis:DescribeStream",
"kinesis:ListShards"
],
"Resource": [
"arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams"
],
"Resource": [
"arn:aws:kinesis:ap-south-1:ACCOUNT_ID:stream/STREAM_NAME"
]
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:ap-south-1:ACCOUNT_ID:table/TABLE_NAME*"
}
]
}