0

I am new to AWS cloudformation and in need to create a Kinesis datastream, then write records to this stream using python code. I was able to create a data stream through cloudformation template but not able to set the permissions. How I will attache a permission to allow certain usergroup to write to this kinesis data stream using the python library?

My current template code is,

AWSTemplateFormatVersion: '2010-09-09'
Description: 'This template will create an AWS Kinesis DataStream'

Parameters:

CFNStreamName:
    Description: This will be used to name the Kinesis DataStream
    Type: String
    Default: 'data-stream'

CFNRetensionHours:
    Description: This will be used to set the retension hours
    Type: Number
    Default: 168

CFNShardCount:
    Description: This will be used to set the shard count
    Type: Number
    Default: 2

Resources:
    MongoCDCStream:
Type: AWS::Kinesis::Stream
Properties:
  Name: !Ref CFNStreamName
  RetentionPeriodHours: !Ref CFNRetensionHours
  ShardCount: !Ref CFNShardCount
  StreamEncryption:
      EncryptionType: KMS
      KeyId: alias/aws/kinesis
Outputs:
    MongoCDCStream:
    Value: !Ref MongoCDCStream
    Export:
        Name: !Sub ${AWS::StackName}-MongoCDCStream
Arun Vasu
  • 297
  • 8
  • 22

1 Answers1

1

You will want to pass in (through the cloudformation parameter) either the IAM Role or User that your Python code runs on.

Inside the template, create an IAM Policy or ManagedPolicy that attaches to the IAM Role / User you passed in and assign the correct permission.

AWSTemplateFormatVersion: '2010-09-09'
Description: 'This template will create an AWS Kinesis DataStream'

Parameters:

CFNStreamName:
    Description: This will be used to name the Kinesis DataStream
    Type: String
    Default: 'data-stream'

CFNRetensionHours:
    Description: This will be used to set the retension hours
    Type: Number
    Default: 168

CFNShardCount:
    Description: This will be used to set the shard count
    Type: Number
    Default: 2

PythonCodeRole:
    Type: String
# ^- Pass in role here.

Resources:
    # Assign permission here.
    PythonCodePlicyAssignmen:
        Type: AWS::IAM::Policy
        Properties: 
            PolicyDocument: 
                <assign needed permission here>
                Version: "2012-10-17"
                Statement:
                  - Effect: "Allow"
                    Action:
                      - "kinesis:*"
                    Resource: !Ref MongoCDCStream
                    # ^- here, use !Ref to tie in the correct resource id cleanly.
            PolicyName: python-code-permission
            Roles: [!Ref PythonCodeRole]

    MongoCDCStream:
        Type: AWS::Kinesis::Stream
        Properties:
            Name: !Ref CFNStreamName
            RetentionPeriodHours: !Ref CFNRetensionHours
            ShardCount: !Ref CFNShardCount
            StreamEncryption:
              EncryptionType: KMS
              KeyId: alias/aws/kinesis
Outputs:
    MongoCDCStream:
    Value: !Ref MongoCDCStream
    Export:
        Name: !Sub ${AWS::StackName}-MongoCDCStream
Sleeper Smith
  • 3,212
  • 4
  • 28
  • 39