Example Policies
This section provides example IAM policies for Lenses.
These are only some sample policies to help you build your own
Admin
Full admin across all resources.
role
name: administrator
policy:
- action: '*'
resource: '*'
effect: allow
Full access for data namespace
Allow full access for all services and resources beginning with blue.
role
name: blue-things
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
- environments:AccessEnvironment
resource: environments:*
effect: allow
- action:
- kafka:*
- schemas:*
- kafka-connect:*
- kubernetes:*
- applications:*
resource:
- kafka:topic:*/*/blue-*
- kafka:consumer-group:*/*/blue-*
- kafka:acl:*/*/*/user/blue-*
- schemas:schema:*/*/blue-*
- kafka-connect:cluster:*/*
- kafka-connect:connector:*/*/blue-*
- sql-streaming:processor:*/*/*/blue-*
- kubernetes:cluster:*/*
- kubernetes:namespace:*/*/*
effect: allow
- action:
- alerts:*
- data-policies:*
resource:
- alerts:alert:*/*/blue-*
- alerts:event:*/*/*
- data-policies:policy:*/blue-*
effect: allow
Explore a data namespace
Allow read only access for topics and schemas beginning with la.
role
name: public-data-explorer
policy:
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:environment:global*
effect: allow
- action:
- kafka:ListTopics
- kafka:ListTopicDependants
- kafka:GetTopicDetails
- kafka:ReadTopicData
resource: kafka:topic:*/kafka/la-*
effect: allow
- action:
- schemas:ListSchemas
- schemas:ListSchemaDependants
- schemas:GetSchemaDetails
resource: schemas:schema:*/*/la-*
effect: allow
Connect Operator
Allow operators to restart connectors and list & get IAM resource only.
role
name: global-connector-operator
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
- environments:AccessEnvironment
resource: environments:*
effect: allow
- action:
- kafka-connect:List*
- kafka-connect:GetClusterDetails
- kafka-connect:GetConnectorDetails
- kafka-connect:StartConnector
- kafka-connect:StopConnector
resource:
- kafka-connect:cluster:*/*
- kafka-connect:connector:*/*/*
effect: allow
Explicit no access to production
Explicitly deny access to environments with names starting with prod-.
roles
name: no-access-prod-name-prefix
policy:
- action: environments:AccessEnvironment
resource: environments:environment:prod-*
effect: deny
Developer access
Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for us-dev.
role
name: us-dev-permissions
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
resource: environments:*
effect: allow
- action: environments:AccessEnvironment
resource: environments:environment:us-dev
effect: allow
- action:
- kafka:*
- schemas:*
- kafka-connect:*
- kubernetes:*
- applications:*
resource:
- kafka:topic:us-dev/*
- kafka:consumer-group:us-dev/*
- kafka:acl:us-dev/*
- kafka:quota:us-dev/*
- schemas:schema:us-dev/*
- kafka-connect:cluster:us-dev/*
- kafka-connect:connector:us-dev/*
- sql-streaming:sql-processor:us-dev/*
- kubernetes:cluster:us-dev/*
- kubernetes:namespace:us-dev/*
effect: allow
- action:
- alerts:*
- data-policies:*
resource:
- alerts:channel:us-dev/*
- alerts:event:us-dev/*
- alerts:rule:us-dev/*
- data-policies:policy:us-dev/*
effect: allow
