ProductsDownload Community Edition

Example Policies

This section provides example IAM policies for Lenses.

These are only some sample policies to help you build your own

Admin

Full admin across all resources.

role
name: administrator
policy:
  - action: '*'
    resource: '*'
    effect: allow

Full access for data namespace

Allow full access for all services and resources beginning with blue.

role
name: blue-things
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:*/*/blue-*
      - kafka:consumer-group:*/*/blue-*
      - kafka:acl:*/*/*/user/blue-*
      - schemas:schema:*/*/blue-*
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/blue-*
      - sql-streaming:processor:*/*/*/blue-*
      - kubernetes:cluster:*/*
      - kubernetes:namespace:*/*/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:alert:*/*/blue-*
      - alerts:event:*/*/*
      - data-policies:policy:*/blue-*
    effect: allow

Explore a data namespace

Allow read only access for topics and schemas beginning with la.

role
name: public-data-explorer
policy:
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:environment:global*
    effect: allow
  - action:
      - kafka:ListTopics
      - kafka:ListTopicDependants
      - kafka:GetTopicDetails
      - kafka:ReadTopicData
    resource: kafka:topic:*/kafka/la-*
    effect: allow
  - action:
      - schemas:ListSchemas
      - schemas:ListSchemaDependants
      - schemas:GetSchemaDetails
    resource: schemas:schema:*/*/la-*
    effect: allow

Connect Operator

Allow operators to restart connectors and list & get IAM resource only.

No access to data!

role
name: global-connector-operator
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka-connect:List*
      - kafka-connect:GetClusterDetails
      - kafka-connect:GetConnectorDetails
      - kafka-connect:StartConnector
      - kafka-connect:StopConnector
    resource:
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/*
    effect: allow

Explicit no access to production

Explicitly deny access to environments with names starting with prod-.

roles
name: no-access-prod-name-prefix
policy:
  - action: environments:AccessEnvironment
    resource: environments:environment:prod-*
    effect: deny

Developer access

Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for us-dev.

role
name: us-dev-permissions
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
    resource: environments:*
    effect: allow
  - action: environments:AccessEnvironment
    resource: environments:environment:us-dev
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:us-dev/*
      - kafka:consumer-group:us-dev/*
      - kafka:acl:us-dev/*
      - kafka:quota:us-dev/*
      - schemas:schema:us-dev/*
      - kafka-connect:cluster:us-dev/*
      - kafka-connect:connector:us-dev/*
      - sql-streaming:sql-processor:us-dev/*
      - kubernetes:cluster:us-dev/*
      - kubernetes:namespace:us-dev/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:channel:us-dev/*
      - alerts:event:us-dev/*
      - alerts:rule:us-dev/*
      - data-policies:policy:us-dev/*
    effect: allow
PreviousIAM ReferenceNextTopics

Last updated

Was this helpful?