From 038896f8846f247490d341889677f8cc692e9bc3 Mon Sep 17 00:00:00 2001 From: tpanetti Date: Wed, 29 Oct 2025 16:24:47 -0700 Subject: [PATCH 1/4] Cleanup kinesis iam role for clickpipes --- .../clickpipes/secure-kinesis.md | 111 +++++++++++------- 1 file changed, 66 insertions(+), 45 deletions(-) diff --git a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md index 92f9f7fae2b..0c05395a29d 100644 --- a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md +++ b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md @@ -49,50 +49,71 @@ Using this approach, customers can manage all access to their Kinesis data strea - 2. Browse to IAM Service Console - 3. Create a new IAM role with Trusted Entity Type of `AWS account`. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work. -For the trust policy, please replace `{ClickHouse_IAM_ARN}` with the IAM Role arn belong to your ClickHouse instance. -For the IAM policy, please replace `{STREAM_NAME}` with your Kinesis stream name. - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Principal": { - "AWS": "{ClickHouse_IAM_ARN}" - }, - "Action": "sts:AssumeRole" - }, - { - "Action": [ - "kinesis:DescribeStream", - "kinesis:GetShardIterator", - "kinesis:GetRecords", - "kinesis:ListShards", - "kinesis:SubscribeToShard", - "kinesis:DescribeStreamConsumer", - "kinesis:RegisterStreamConsumer", - "kinesis:DeregisterStreamConsumer", - "kinesis:ListStreamConsumers" - ], - "Resource": [ - "arn:aws:kinesis:region:account-id:stream/{STREAM_NAME}/*" - ], - "Effect": "Allow" - }, - { - "Action": [ - "kinesis:ListStreams" - ], - "Resource": "*", - "Effect": "Allow" - } - ] -} - - - -``` + #### i. Configure the Trust Policy + + The trust policy allows the ClickHouse IAM role to assume this role. Replace `{ClickHouse_IAM_ARN}` with the IAM Role ARN from your ClickHouse service (obtained in the previous step). + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "{ClickHouse_IAM_ARN}" + }, + "Action": "sts:AssumeRole" + } + ] + } + ``` + + #### ii. Configure the Permission Policy + + The permission policy grants access to your Kinesis stream. Replace the following placeholders: + - `{REGION}`: Your AWS region (e.g., `us-east-1`) + - `{ACCOUNT_ID}`: Your AWS account ID + - `{STREAM_NAME}`: Your Kinesis stream name + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "kinesis:DescribeStream", + "kinesis:GetShardIterator", + "kinesis:GetRecords", + "kinesis:ListShards", + "kinesis:RegisterStreamConsumer", + "kinesis:DeregisterStreamConsumer", + "kinesis:ListStreamConsumers" + ], + "Resource": [ + "arn:aws:kinesis:{REGION}:{ACCOUNT_ID}:stream/{STREAM_NAME}" + ] + }, + { + "Effect": "Allow", + "Action": [ + "kinesis:SubscribeToShard", + "kinesis:DescribeStreamConsumer" + ], + "Resource": [ + "arn:aws:kinesis:{REGION}:{ACCOUNT_ID}:stream/{STREAM_NAME}/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "kinesis:ListStreams" + ], + "Resource": "*" + } + ] + } + ``` - 4. Copy the new **IAM Role Arn** after creation. This is what is needed to access your Kinesis stream. + From 5efb8704499cc506e9755d644ecc569879fb98f0 Mon Sep 17 00:00:00 2001 From: tpanetti Date: Wed, 29 Oct 2025 16:36:02 -0700 Subject: [PATCH 2/4] linting --- .../data-ingestion/clickpipes/secure-kinesis.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md index 0c05395a29d..4551bfac7bb 100644 --- a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md +++ b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md @@ -49,7 +49,7 @@ Using this approach, customers can manage all access to their Kinesis data strea - 2. Browse to IAM Service Console - 3. Create a new IAM role with Trusted Entity Type of `AWS account`. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work. - #### i. Configure the Trust Policy + #### i. Configure the Trust Policy {#configure-trust-policy} The trust policy allows the ClickHouse IAM role to assume this role. Replace `{ClickHouse_IAM_ARN}` with the IAM Role ARN from your ClickHouse service (obtained in the previous step). @@ -68,12 +68,12 @@ Using this approach, customers can manage all access to their Kinesis data strea } ``` - #### ii. Configure the Permission Policy + #### ii. Configure the Permission Policy {#configure-permission-policy} The permission policy grants access to your Kinesis stream. Replace the following placeholders: - - `{REGION}`: Your AWS region (e.g., `us-east-1`) - - `{ACCOUNT_ID}`: Your AWS account ID - - `{STREAM_NAME}`: Your Kinesis stream name + - `{REGION}`: Your AWS region (e.g., `us-east-1`) + - `{ACCOUNT_ID}`: Your AWS account ID + - `{STREAM_NAME}`: Your Kinesis stream name ```json { From 17002137cf73d5fda986ce6fab2528cea4e83982 Mon Sep 17 00:00:00 2001 From: tpanetti Date: Wed, 29 Oct 2025 19:42:03 -0700 Subject: [PATCH 3/4] Change heading to bold instead for acorn parsing --- docs/integrations/data-ingestion/clickpipes/secure-kinesis.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md index 4551bfac7bb..37fa8f17e97 100644 --- a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md +++ b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md @@ -49,7 +49,7 @@ Using this approach, customers can manage all access to their Kinesis data strea - 2. Browse to IAM Service Console - 3. Create a new IAM role with Trusted Entity Type of `AWS account`. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work. - #### i. Configure the Trust Policy {#configure-trust-policy} + **i. Configure the Trust Policy** The trust policy allows the ClickHouse IAM role to assume this role. Replace `{ClickHouse_IAM_ARN}` with the IAM Role ARN from your ClickHouse service (obtained in the previous step). @@ -68,7 +68,7 @@ Using this approach, customers can manage all access to their Kinesis data strea } ``` - #### ii. Configure the Permission Policy {#configure-permission-policy} + **ii. Configure the Permission Policy** The permission policy grants access to your Kinesis stream. Replace the following placeholders: - `{REGION}`: Your AWS region (e.g., `us-east-1`) From 0ebcad5306ca0b909dfa3e3c9275d9707c5b2c3c Mon Sep 17 00:00:00 2001 From: tpanetti Date: Wed, 29 Oct 2025 19:55:42 -0700 Subject: [PATCH 4/4] unused tag --- docs/integrations/data-ingestion/clickpipes/secure-kinesis.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md index 37fa8f17e97..d0fd6ae273f 100644 --- a/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md +++ b/docs/integrations/data-ingestion/clickpipes/secure-kinesis.md @@ -116,4 +116,3 @@ Using this approach, customers can manage all access to their Kinesis data strea ``` - 4. Copy the new **IAM Role Arn** after creation. This is what is needed to access your Kinesis stream. -