Skip to content

Cleanup kinesis iam role for clickpipes #4667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 30, 2025
Merged

Cleanup kinesis iam role for clickpipes #4667

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
038896f
Cleanup kinesis iam role for clickpipes
tpanetti Oct 29, 2025
5efb870
linting
tpanetti Oct 29, 2025
1700213
Change heading to bold instead for acorn parsing
tpanetti Oct 30, 2025
0ebcad5
unused tag
tpanetti Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 65 additions & 45 deletions docs/integrations/data-ingestion/clickpipes/secure-kinesis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,50 +49,70 @@ Using this approach, customers can manage all access to their Kinesis data strea
- 2. Browse to IAM Service Console
- 3. Create a new IAM role with Trusted Entity Type of `AWS account`. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work.

For the trust policy, please replace `{ClickHouse_IAM_ARN}` with the IAM Role arn belong to your ClickHouse instance.
For the IAM policy, please replace `{STREAM_NAME}` with your Kinesis stream name.

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "{ClickHouse_IAM_ARN}"
},
"Action": "sts:AssumeRole"
},
{
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards",
"kinesis:SubscribeToShard",
"kinesis:DescribeStreamConsumer",
"kinesis:RegisterStreamConsumer",
"kinesis:DeregisterStreamConsumer",
"kinesis:ListStreamConsumers"
],
"Resource": [
"arn:aws:kinesis:region:account-id:stream/{STREAM_NAME}/*"
],
"Effect": "Allow"
},
{
"Action": [
"kinesis:ListStreams"
],
"Resource": "*",
"Effect": "Allow"
}
]
}

</VerticalStepper>

```
**i. Configure the Trust Policy**

The trust policy allows the ClickHouse IAM role to assume this role. Replace `{ClickHouse_IAM_ARN}` with the IAM Role ARN from your ClickHouse service (obtained in the previous step).

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{ClickHouse_IAM_ARN}"
},
"Action": "sts:AssumeRole"
}
]
}
```

**ii. Configure the Permission Policy**

The permission policy grants access to your Kinesis stream. Replace the following placeholders:
- `{REGION}`: Your AWS region (e.g., `us-east-1`)
- `{ACCOUNT_ID}`: Your AWS account ID
- `{STREAM_NAME}`: Your Kinesis stream name

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards",
"kinesis:RegisterStreamConsumer",
"kinesis:DeregisterStreamConsumer",
"kinesis:ListStreamConsumers"
],
"Resource": [
"arn:aws:kinesis:{REGION}:{ACCOUNT_ID}:stream/{STREAM_NAME}"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:SubscribeToShard",
"kinesis:DescribeStreamConsumer"
],
"Resource": [
"arn:aws:kinesis:{REGION}:{ACCOUNT_ID}:stream/{STREAM_NAME}/*"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams"
],
"Resource": "*"
}
]
}
```

- 4. Copy the new **IAM Role Arn** after creation. This is what is needed to access your Kinesis stream.