From 82b5166b4e8eff945373083b94e96b944eda6176 Mon Sep 17 00:00:00 2001 From: Shaun Struwig <41984034+Blargian@users.noreply.github.com> Date: Wed, 24 Sep 2025 17:41:11 +0200 Subject: [PATCH 1/3] Update secure-kinesis.md to address feedback --- .../clickpipes/secure-kinesis.md | 106 ++++++++---------- 1 file changed, 45 insertions(+), 61 deletions(-) diff --git a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md index 2e6426e2cd5..682957ebbaf 100644 --- a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md +++ b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md @@ -12,6 +12,12 @@ import Image from '@theme/IdealImage'; This article demonstrates how ClickPipes customers can leverage role-based access to authenticate with Amazon Kinesis and access their data streams securely. +## Prerequisites + +To follow this guide, you will need: +- An active ClickHouse Cloud service +- An AWS account + ## Introduction {#introduction} Before diving into the setup for secure Kinesis access, it's important to understand the mechanism. Here's an overview of how ClickPipes can access Amazon Kinesis streams by assuming a role within customers' AWS accounts. @@ -22,17 +28,15 @@ Using this approach, customers can manage all access to their Kinesis data strea ## Setup {#setup} -### Obtaining the ClickHouse service IAM role Arn {#obtaining-the-clickhouse-service-iam-role-arn} - -1 - Login to your ClickHouse cloud account. + -2 - Select the ClickHouse service you want to create the integration - -3 - Select the **Settings** tab - -4 - Scroll down to the **Network security information** section at the bottom of the page +### Obtaining the ClickHouse service IAM role Arn {#obtaining-the-clickhouse-service-iam-role-arn} -5 - Copy the **Service role ID (IAM)** value belong to the service as shown below. +- 1. Login to your ClickHouse cloud account. +- 2. Select the ClickHouse service you want to create the integration +- 3. Select the **Settings** tab +- 4. Scroll down to the **Network security information** section at the bottom of the page +- 5. Copy the **Service role ID (IAM)** value belong to the service as shown below. Secure S3 ARN @@ -40,74 +44,54 @@ Using this approach, customers can manage all access to their Kinesis data strea #### Manually create IAM role. {#manually-create-iam-role} -1 - Login to your AWS Account in the web browser with an IAM user that has permission to create & manage IAM role. - -2 - Browse to IAM Service Console +- 1. Login to your AWS Account in the web browser with an IAM user that has permission to create & manage IAM role. +- 2. Browse to IAM Service Console +- 3. Create a new IAM role with Trusted Entity Type of `AWS account`. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work. -3 - Create a new IAM role with the following IAM & Trust policy. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work. - -Trust policy (Please replace `{ClickHouse_IAM_ARN}` with the IAM Role arn belong to your ClickHouse instance): +For the trust policy, please replace `{ClickHouse_IAM_ARN}` with the IAM Role arn belong to your ClickHouse instance. +For the IAM policy, please replace `{STREAM_NAME}` with your Kinesis stream name. ```json { "Version": "2012-10-17", "Statement": [ { + "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "{ClickHouse_IAM_ARN}" }, "Action": "sts:AssumeRole" + }, + { + "Action": [ + "kinesis:DescribeStream", + "kinesis:GetShardIterator", + "kinesis:GetRecords", + "kinesis:ListShards", + "kinesis:SubscribeToShard", + "kinesis:DescribeStreamConsumer", + "kinesis:RegisterStreamConsumer", + "kinesis:DeregisterStreamConsumer", + "kinesis:ListStreamConsumers" + ], + "Resource": [ + "arn:aws:kinesis:region:account-id:stream/{STREAM_NAME}/*" + ], + "Effect": "Allow" + }, + { + "Action": [ + "kinesis:ListStreams" + ], + "Resource": "*", + "Effect": "Allow" } ] } -``` -IAM policy (Please replace `{STREAM_NAME}` with your Kinesis stream name): + -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "kinesis:DescribeStream", - "kinesis:GetShardIterator", - "kinesis:GetRecords", - "kinesis:ListShards", - "kinesis:SubscribeToShard", - "kinesis:DescribeStreamConsumer", - "kinesis:RegisterStreamConsumer", - "kinesis:DeregisterStreamConsumer", - "kinesis:ListStreamConsumers" - ], - "Resource": [ - "arn:aws:kinesis:region:account-id:stream/{STREAM_NAME}" - ], - "Effect": "Allow" - }, - { - "Action": [ - "kinesis:SubscribeToShard", - "kinesis:DescribeStreamConsumer", - "kinesis:RegisterStreamConsumer", - "kinesis:DeregisterStreamConsumer" - ], - "Resource": [ - "arn:aws:kinesis:region:account-id:stream/{STREAM_NAME}/*" - ], - "Effect": "Allow" - }, - { - "Action": [ - "kinesis:ListStreams" - ], - "Resource": "*", - "Effect": "Allow" - } - ] - -} ``` -4 - Copy the new **IAM Role Arn** after creation. This is what needed to access your Kinesis stream. + - 4. Copy the new **IAM Role Arn** after creation. This is what is needed to access your Kinesis stream. From c88034ca72d13eb10365a02b6cde21e03a0706e6 Mon Sep 17 00:00:00 2001 From: Shaun Struwig <41984034+Blargian@users.noreply.github.com> Date: Tue, 30 Sep 2025 11:36:28 +0200 Subject: [PATCH 2/3] fix markdown linter --- docs/integrations/data-ingestion/clickpipes/secure-kinesis.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md index 682957ebbaf..92f3b58696f 100644 --- a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md +++ b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md @@ -4,6 +4,7 @@ sidebar_label: 'Kinesis Role-Based Access' title: 'Kinesis Role-Based Access' description: 'This article demonstrates how ClickPipes customers can leverage role-based access to authenticate with Amazon Kinesis and access their data streams securely.' doc_type: 'guide' +keywords: ['Amazon Kinesis'] --- import secure_kinesis from '@site/static/images/integrations/data-ingestion/clickpipes/securekinesis.jpg'; @@ -12,7 +13,7 @@ import Image from '@theme/IdealImage'; This article demonstrates how ClickPipes customers can leverage role-based access to authenticate with Amazon Kinesis and access their data streams securely. -## Prerequisites +## Prerequisites {#prerequisite} To follow this guide, you will need: - An active ClickHouse Cloud service From 889a1f9ed49990a5d32c4013c3a38ddace938694 Mon Sep 17 00:00:00 2001 From: Shaun Struwig <41984034+Blargian@users.noreply.github.com> Date: Tue, 30 Sep 2025 16:31:52 +0200 Subject: [PATCH 3/3] fix indent --- docs/integrations/data-ingestion/clickpipes/secure-kinesis.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md index 92f3b58696f..92f9f7fae2b 100644 --- a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md +++ b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md @@ -95,4 +95,4 @@ For the IAM policy, please replace `{STREAM_NAME}` with your Kinesis stream name ``` - - 4. Copy the new **IAM Role Arn** after creation. This is what is needed to access your Kinesis stream. +- 4. Copy the new **IAM Role Arn** after creation. This is what is needed to access your Kinesis stream.