Document required AWS Permissions for `AWSKafkaAvroSerDe`

Question

Document required AWS Permissions for `AWSKafkaAvroSerDe`

er1c opened this issue a year ago · 3 comments

I don't really want to play a game of whack a mole, can you list all of the required AWS Permissions for AWSKafkaAvroSerDe

Dec 01 10:50:02 ecs-fargate svc-financial-line-item Caused by: software.amazon.awssdk.services.glue.model.AccessDeniedException: User: arn:aws:sts::1234:assumed-role/stuff is not authorized to perform: glue:GetSchemaVersion because no identity-based policy allows the glue:GetSchemaVersion action (Service: Glue, Status Code: 400, Request ID)

Are there others?

austinjohnson14 commented a year ago

+1

Answer 1 · 2023-12-05T16:23:13.000Z

Caused by: software.amazon.awssdk.services.glue.model.AccessDeniedException: User: arn:aws:sts::1234:assumed-role/even-service/1234 is not authorized to perform: glue:GetSchemaByDefinition on resource: arn:aws:glue:us-east-1:12233:registry/kafka-connect-dev-keys because no identity-based policy allows the glue:GetSchemaByDefinition action (Service: Glue, Status Code: 400, Request ID: foo)

Answer 2 · 2024-01-16T22:48:21.000Z

We have a AWSGlueSchemaRegistryFullAccess managed policy that contains all the necessary permissions. If you find it over-permissive, you can create a customer-managed policy from it and remove unnecessary permissions.