Share access using resource-based policies
Note
Updating an existing resource-based policy means replacing the existing one, so make sure to include all the necessary information in your new policy.
Share access with cross-account Amazon Lambda functions
Lambda operator
Go to the IAM console
to create an IAM role that will be used as the Lambda execution role for your Amazon Lambda function. Add the managed IAM policy AWSLambdaKinesisExecutionRole
which has the required Kinesis Data Streams and Lambda invocation permissions. This policy also grants access to all potential Kinesis Data Streams resources you may have access to.In the Amazon Lambda console
, create an Amazon Lambda function to process records in an Kinesis Data Streams data stream and during the setup for the execution role, choose the role you created in the previous step. Provide the execution role to the Kinesis Data Streams resource owner for configuring the resource policy.
Finish setting up the Lambda function.
Kinesis Data Streams resource owner
Get the cross-account Lambda execution role that will invoke the Lambda function.
On the Amazon Kinesis Data Streams console, choose the data stream. Choose the Data stream sharing tab and then the Create sharing policy button to start the visual policy editor. To share a registered consumer within a data stream, choose the consumer and then choose Create sharing policy. You can also write the JSON policy directly.
Specify the cross-account Lambda execution role as the principal and the exact Kinesis Data Streams actions you are sharing access to. Make sure to include the action
kinesis:DescribeStream
. For more information on example resource policies for Kinesis Data Streams, see Example resource-based policies for Kinesis data streams.Choose Create policy or use the PutResourcePolicy to attach the policy to your resource.
Share access with cross-account KCL consumers
If you are using KCL 1.x, ensure you are using KCL 1.15.0 or higher.
If you are using KCL 2.x, ensure you are using KCL 2.5.3 or higher.
KCL operator
Provide your IAM user or IAM role that will run the KCL application to the resource owner.
Ask the resource owner for the data stream or consumer ARN.
Ensure that you specify the provided stream ARN as a part of your KCL configuration.
For KCL 1.x: use the KinesisClientLibConfiguration
constructor and provide the stream ARN. For KCL 2.x: You can provide just the stream ARN or StreamTracker
to the Kinesis Client Library ConfigsBuilder . For StreamTracker, provide the stream ARN and creation Epoch from the DynamoDB Lease Table that is generated by the library. If you want to read from a shared registered consumer like Enhanced Fan-Out, use StreamTracker and also provide the consumer ARN.
Kinesis Data Streams resource owner
Get the cross-account IAM user or IAM role that will run the KCL application.
On the Amazon Kinesis Data Streams console, choose the data stream. Choose the Data stream sharing tab and then the Create sharing policy button to start the visual policy editor. To share a registered consumer within a data stream, choose the consumer and then choose Create sharing policy. You can also write the JSON policy directly.
Specify the cross-account KCL application's IAM user or IAM role as the principal and the exact Kinesis Data Streams actions you are sharing access to. For more information on example resource policies for Kinesis Data Streams, see Example resource-based policies for Kinesis data streams.
Choose Create policy or use the PutResourcePolicy to attach the policy to your resource.
Share access to encrypted data
If you have enabled server-side encryption for a data stream with Amazon managed KMS key and want to share access via a resource policy, you must switch to using customer-managed key (CMK). For more information, see What is server-side encryption for Kinesis Data Streams?. In addition, you must allow your sharing principal entities to have access to your CMK, using KMS cross account sharing capabilities. Make sure to also make the change in the IAM policies for the sharing principal entities. For more information, see Allowing users in other accounts to use a KMS key.