-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GetSchemaVersionRequest in AWSSchemaRegistryClient does not specify a registry name #68
Comments
Edited - Reviewing the document now, it says that "You can limit the registries that can read by using the Resource clause. But if access to all registries is required then it can be achieved by specifying "*" for the appropriate portions of the ARN." https://docs.aws.amazon.com/glue/latest/dg/schema-registry-gs.html#schema-registry-gs1b
Is specifying registry arn not working ? |
Is this something that could be fixed? Why does getSchemaVersion require access to everything? |
Oops, updated my comment after reviewing the document closely. |
No. So every other permissions, I can set to only point to the specific registry, but for getSchemaVersion, it throws an authentication error if I set the registry name. |
Can you please paste the error here ? I will check my resources and will get back on this. |
So initially used the following policy
I get the following error |
Once I change it to
it works |
I confirmed within the team that this is a known issue. We will look into this and will require some work. |
Thanks a lot! |
@mohitpali Any updates on this one? |
We are looking into this and unfortunately this would require some work. We will work on prioritizing this but we don't have a timeline as of now. As a workaround, you could continue using * permissions. |
@mohitpali Can you take a look at this patch? 0001-Don-t-use-GetSchemaVersion-with-the-schema-version-i.patch.gz |
Actually I came up with another idea to include the version number in the Kafka messages. |
Sorry we couldn't get to this, we will prioritize this against our existing backlog items. |
I'm experiencing the same behavior. Is this issue still not resolved? |
We are experiencing same issue! Unfortunately we cannot specify * resource |
+1 |
2 similar comments
+1 |
+1 |
Seriously this is needed. I thought AWS was a security first organization? Simply telling customers to use * for reading any and all schemas / data contracts isn't an acceptable solution |
+1 |
Wow still not fixed after 3+ years and its security issue.. Anyways issues here are very helpful when other folks run into the same issue. |
+1 this should be fixed |
Hey guys - same problem encountered during integration of the Glue Schema Registry, where we wanted to apply least privilege for the job principle... Exception:
Only workaround so far (terraform in our case): As mentioned above already, we would be more than happy if this can be fixed may be in 2024 😄 |
Hi.
I've been trying to figure out the minimum permissions required to set up Glue schema registry based serialization/deserialization (avro) as we consume/produce events to kafka.
Realized through line by line debugging that the getSchemaVersionRequest does not specify a registry name (https://github.com/awslabs/aws-glue-schema-registry/blob/master/common/src/main/java/com/amazonaws/services/schemaregistry/common/AWSSchemaRegistryClient.java#L222). This requires me to add the following wide permissions for my application to work.
I would like to instead just give such permission to the specific registry I am using right now.
Is it possible to specify a registry name in this request?
The text was updated successfully, but these errors were encountered: