Example Policies

This section provides example IAM policies for Lenses.

These are only some same policies to help you build your own

Admin

Full admin across all resources.

role

Full access for data namespace

Allow full access for all services and resources beginning with blue.

role

Explore a data namespace

Allow read only access for topics and schemas beginning with la.

role

Connect Operator

Allow operators to restart connectors and list & get IAM resource only.

No access to data!

role

Explicit no access to production

Explicitly deny access to a production environment.

roles

Developer access

Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for us-dev.

role

PreviousIAM Reference NextTopics

Last updated 14 days ago

Resources

Privacy Cookies Terms & Conditions Community EULA

2024 © Lenses.io Ltd. Apache, Apache Kafka, Kafka and associated open source project names are trademarks of the Apache Software Foundation.

These are only some same policies to help you build your own

Admin

Full admin across all resources.

role

Full access for data namespace

Allow full access for all services and resources beginning with blue.

role

Explore a data namespace

Allow read only access for topics and schemas beginning with la.

role

Connect Operator

Allow operators to restart connectors and list & get IAM resource only.

No access to data!

role

name: global-connector-operator
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka-connect:List*
      - kafka-connect:GetClusterDetails
      - kafka-connect:GetConnectorDetails
      - kafka-connect:StartConnector
      - kafka-connect:StopConnector
    resource:
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/*
    effect: allow

Explicit no access to production

Explicitly deny access to a production environment.

roles

name: no-access-prod
policy:
  - action: environments:AccessEnvironment
    resource: environments:environment:prod-*
    effect: deny

Developer access

Allow developers access to topics, schemas, sql processors, consumer groups, acls, quotas, connectors for us-dev.

role

name: us-dev-access
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
    resource: environments:*
    effect: allow
  - action: environments:AccessEnvironment
    resource: environments:environment:us-dev
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic/us-dev/*
      - kafka:consumer-group/us-dev/*
      - kafka:acl/us-dev/*
      - kafka:quota/us-dev/*
      - schemas:schema/us-dev/*
      - kafka-connect:cluster/us-dev/*
      - kafka-connect:connector/us-dev/*
      - sql-streaming:processor/us-dev/*
      - kubernetes:cluster/us-dev/*
      - kubernetes:namespace/us-dev/*/*
      - applications:external-application/us-dev/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:alert/us-dev/*
      - alerts:alert-event/us-dev/*
      - data-policies:policy/us-dev/*
    effect: allow

name: blue-things
policy:
  - action:
      - iam:List*
      - iam:Get*
    resource: iam:*
    effect: allow
  - action:
      - environments:Get*
      - environments:List*
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  - action:
      - kafka:*
      - schemas:*
      - kafka-connect:*
      - kubernetes:*
      - applications:*
    resource:
      - kafka:topic:*/*/blue-*
      - kafka:consumer-group:*/*/blue-*
      - kafka:acl:*/*/*/user/blue-*
      - schemas:schema:*/*/blue-*
      - kafka-connect:cluster:*/*
      - kafka-connect:connector:*/*/blue-*
      - sql-streaming:processor:*/*/*/blue-*
      - kubernetes:cluster:*/*
      - kubernetes:namespace:*/*/*
    effect: allow
  - action:
      - alerts:*
      - data-policies:*
    resource:
      - alerts:alert:*/*/blue-*
      - alerts:alert-event:*/*/*
      - data-policies:policy:*/blue-*
    effect: allow

name: public-data-explorer
policy:
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:environment:global*
    effect: allow
  - action:
      - kafka:ListTopics
      - kafka:ListTopicDependants
      - kafka:GetTopicDetails
      - kafka:ReadTopicData
    resource: kafka:topic:*/kafka/la-*
    effect: allow
  - action:
      - schemas:ListSchemas
      - schemas:ListSchemaDependants
      - schemas:GetSchemaDetails
    resource: schemas:schema:*/*/la-*
    effect: allow