Example Policies

This section provides example IAM policies for Lenses.

These are only some same policies to help you build your own

Admin

Full admin across all resources.

role
name: administrator
policy:
  - action: '*'
    resource: '*'
    effect: allow

Full access for data namespace

Allow full access for all services and resources beginning with blue.

role
name: blue-things
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:*/*/blue-*
      - kafka:consumer-group:*/*/blue-*
      - kafka:acl:*/*/*/user/blue-*
      - schemas:schema:*/*/blue-*
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/blue-*
      - sql-streaming:processor:*/*/*/blue-*
      - kubernetes:cluster:*/*
      - kubernetes:namespace:*/*/*
      - applications:external-application:*/blue-*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:alert:*/*/blue-*
      - alerts:alert-event:*/*/*
      - data-policies:policy:*/blue-*
    effect: allow

Explore a data namespace

Allow read only access for topics and schemas beginning with la.

role
name: public-data-explorer
policy:
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:environment/global*
    effect: allow
  - action:
      - kafka:ListTopics
      - kafka:ListTopicDependants
      - kafka:GetTopicDetails
      - kafka:ReadTopicData
    resource: kafka:topic:*/kafka/la-*
    effect: allow
  - action:
      - schemas:ListSchemas
      - schemas:ListSchemaDependants
      - schemas:GetSchemaDetails
    resource: schemas:schema:*/*/la-*
    effect: allow

Connect Operator

Allow operators to restart connectors and list & get IAM resource only.

No access to data!

role
name: global-connector-operator
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka-connect:List*
      - kafka-connect:GetClusterDetails
      - kafka-connect:GetConnectorDetails
      - kafka-connect:StartConnector
      - kafka-connect:StopConnector
    resource:
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/*
    effect: allow

Explict no access to production

Explicity deny access to a production environment.

role
name: no-access-prod
policy:
  - action: environments:AccessEnvironment
    resource: environments:environment:prod-*
    effect: deny

Developer access

Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for us-dev.

role
name: us-dev-access
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
    resource: environments:*
    effect: allow
  - action: environments:AccessEnvironment
    resource: environments:environment:us-dev
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:us-dev/*
      - kafka:consumer-group:us-dev/*
      - kafka:acl:us-dev/*
      - kafka:quota:us-dev/*
      - schemas:schema:us-dev/*
      - kafka-connect:cluster:us-dev/*
      - kafka-connect:connector:us-dev/*
      - sql-streaming:processor:us-dev/*
      - kubernetes:cluster:us-dev/*
      - kubernetes:namespace:us-dev/*/*
      - applications:external-application:us-dev/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:alert:us-dev/*
      - alerts:alert-event:us-dev/*
      - data-policies:policy:us-dev/*
    effect: allow

Last updated

Logo

2024 © Lenses.io Ltd. Apache, Apache Kafka, Kafka and associated open source project names are trademarks of the Apache Software Foundation.