Example Policies
This section provides example IAM policies for Lenses.
These are only some sample policies to help you build your own
Admin
Full admin across all resources.
Full access for data namespace
Allow full access for all services and resources beginning with blue.
role
name: blue-things
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
- environments:AccessEnvironment
resource: environments:*
effect: allow
- action:
- kafka:*
- schemas:*
- kafka-connect:*
- kubernetes:*
- applications:*
resource:
- kafka:topic:*/*/blue-*
- kafka:consumer-group:*/*/blue-*
- kafka:acl:*/*/*/user/blue-*
- schemas:schema:*/*/blue-*
- kafka-connect:cluster:*/*
- kafka-connect:connector:*/*/blue-*
- sql-streaming:processor:*/*/*/blue-*
- kubernetes:cluster:*/*
- kubernetes:namespace:*/*/*
effect: allow
- action:
- alerts:*
- data-policies:*
resource:
- alerts:alert:*/*/blue-*
- alerts:event:*/*/*
- data-policies:policy:*/blue-*
effect: allow
Explore a data namespace
Allow read only access for topics and schemas beginning with la.
role
name: public-data-explorer
policy:
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:environment:global*
effect: allow
- action:
- kafka:ListTopics
- kafka:ListTopicDependants
- kafka:GetTopicDetails
- kafka:ReadTopicData
resource: kafka:topic:*/kafka/la-*
effect: allow
- action:
- schemas:ListSchemas
- schemas:ListSchemaDependants
- schemas:GetSchemaDetails
resource: schemas:schema:*/*/la-*
effect: allowConnect Operator
Allow operators to restart connectors and list & get IAM resource only.
No access to data!
Explicit no access to production
Explicitly deny access to environments with names starting with prod-.
Developer access
Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for us-dev.
Last updated
Was this helpful?