Example Policies
This section provides example IAM policies for Lenses.
These are only some same policies to help you build your own
Admin
Full admin across all resources.
role
name: administrator
policy:
- action: '*'
resource: '*'
effect: allow
Full access for data namespace
Allow full access for all services and resources beginning with blue.
role
name: blue-things
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
- environments:AccessEnvironment
resource: environments:*
effect: allow
- action:
- kafka:*
- schemas:*
- kafka-connect:*
- kubernetes:*
- applications:*
resource:
- kafka:topic/*/*/blue-*
- kafka:consumer-group/*/*/blue-*
- kafka:acl/*/*/*/user/blue-*
- schemas:schema/*/*/blue-*
- kafka-connect:cluster/*/*
- kafka-connect:connector/*/*/blue-*
- sql-streaming:processor/*/*/*/blue-*
- kubernetes:cluster/*/*
- kubernetes:namespace/*/*/*
- applications:external-application/*/blue-*
effect: allow
- action:
- alerts:*
- data-policies:*
resource:
- alerts:alert/*/*/blue-*
- alerts:alert-event/*/*/*
- data-policies:policy/*/blue-*
effect: allow
Explore a data namespace
Allow read only access for topics and schemas beginning with la.
role
name: public-data-explorer
policy:
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:environment/global*
effect: allow
- action:
- kafka:ListTopics
- kafka:ListTopicDependants
- kafka:GetTopicDetails
- kafka:ReadTopicData
resource: kafka:topic/*/kafka/la-*
effect: allow
- action:
- schemas:ListSchemas
- schemas:ListSchemaDependants
- schemas:GetSchemaDetails
resource: schemas:schema/*/*/la-*
effect: allow
Connect Operator
Allow operators to restart connectors and list & get IAM resource only.
role
name: global-connector-operator
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
- environments:AccessEnvironment
resource: environments:*
effect: allow
- action:
- kafka-connect:List*
- kafka-connect:GetClusterDetails
- kafka-connect:GetConnectorDetails
- kafka-connect:StartConnector
- kafka-connect:StopConnector
resource:
- kafka-connect:cluster/*/*
- kafka-connect:connector/*/*/*
effect: allow
Explict no access to production
Explicity deny access to a production environment.
roles
name: no-access-prod
policy:
- action: environments:AccessEnvironment
resource: environments:environment/prod-*
effect: deny
Developer access
Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for us-dev.
role
name: us-dev-access
policy:
- action:
- iam:List*
- iam:Get*
resource: iam:*
effect: allow
- action:
- environments:Get*
- environments:List*
resource: environments:*
effect: allow
- action: environments:AccessEnvironment
resource: environments:environment/us-dev
effect: allow
- action:
- kafka:*
- schemas:*
- kafka-connect:*
- kubernetes:*
- applications:*
resource:
- kafka:topic/us-dev/*
- kafka:consumer-group/us-dev/*
- kafka:acl/us-dev/*
- kafka:quota/us-dev/*
- schemas:schema/us-dev/*
- kafka-connect:cluster/us-dev/*
- kafka-connect:connector/us-dev/*
- sql-streaming:processor/us-dev/*
- kubernetes:cluster/us-dev/*
- kubernetes:namespace/us-dev/*/*
- applications:external-application/us-dev/*
effect: allow
- action:
- alerts:*
- data-policies:*
resource:
- alerts:alert/us-dev/*
- alerts:alert-event/us-dev/*
- data-policies:policy/us-dev/*
effect: allow
