I do not want to use hardcoded AWS credentials in the application to access the services.

So we are planning to use IAM role for the service account. And using SDK's 'credentials chain providers' implementations it will be able to establish the connection. We have successfully done for s3, sqs. But while doing the same for kinesis bean, we are getting below exception.

software.amazon.awssdk.services.kinesis.model.AccessDeniedException: 
User: arn:aws:sts::683177151963:assumed-role/eks-node-group-instance-role-NodeInstanceRole-1N9FQ0HM24DTN/i-07c0a7aec9981c318 
is not authorized to perform: kinesis:ListShards on resource: 
arn:aws:kinesis:us-east-1:683177151963:stream/evse-events-rel 
because no identity-based policy allows the kinesis:ListShards action 
(Service: Kinesis, Status Code: 400, Request ID: f753a873-f33a-4c50-aac4-cad99e9fd7e0, Extended Request ID: mLCLkfpM7o+2NKQRWYntzs6On5EGRAvBOswTkfozg6tTkG8L3zTDdmNQvq+J4Ti79xrhAkzGjsQEq68myEJPyYj6hJvFJm78)

Below is the bean instantiation implementation:

@Bean
public ConfigsBuilder configsBuilder(@Value("${aws.kinesis_stream_name}") String kinesisStreamName) {

        kinesisClient = KinesisAsyncClient.builder().region(Region.US_EAST_1).build();
        CompletableFuture<ListShardsResponse> listShardsResponseCompletableFuture = kinesisClient.listShards(ListShardsRequest.builder().streamName(kinesisStreamName).build());
        CompletableFuture.allOf(listShardsResponseCompletableFuture.thenApply(listShardsResponse -> listShardsResponse.shards().stream().map(shard -> kinesisClient.getShardIterator(GetShardIteratorRequest.builder().streamName(kinesisStreamName).shardId(shard.shardId()).shardIteratorType(ShardIteratorType.AT_TIMESTAMP).timestamp(Instant.now()).build())).toList().toArray(new CompletableFuture[0]))).join();


        return new ConfigsBuilder(kinesisStreamName, APPLICATION_PREFIX + "-" + springProfilesActive + "-" + IDENTIFIER, kinesisClient, DynamoDbAsyncClient.builder().region(Region.US_EAST_1).build(),
                CloudWatchAsyncClient.builder().region(Region.US_EAST_1).build(), System.getenv("HOSTNAME") + IDENTIFIER, ApplicationContextProvider.getContext().getBean(ShardProcessorFactory.class));
}

And below policy we are using:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kinesis:DescribeStream",
                "kinesis:GetRecords",
                "kinesis:GetShardIterator",
                "kinesis:ListShards",
                "kinesis:ListStreams",
                "kinesis:ListStreamConsumers",
                "kinesis:PutRecord",
                "kinesis:PutRecords"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:kinesis:us-east-1:683177151963:stream/evse-events-rel",
                "arn:aws:kinesis:us-east-1:683177151963:stream/evse-events-rel/*"
            ]
        },
        {
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:us-east-1:683177151963:table/SSE-rel-*"
            ]
        },
        {
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ]
}

We tried putting * also in the kinesis action, but still getting same issue. Need anyny help around this

0

There are 0 answers