如上面的评论所提到的,当您缺少
Kinesis Client Library (KCL) 所需的 AWS 资源权限时,就会出现此错误。这可能是 DynamoDB、CloudWatch 或 Kinesis。对于 Snowplow 的 Stream Enrich 组件,您需要以下权限:
- 输入 kinesis 流(collector good)的读取权限
- 输出 kinesis 流(enrich good 和 enrich bad)的写入权限
- kinesis 流的列表权限
- DynamoDB 状态表的读/写/创建权限(表名是流丰富的
application.conf
中“appName”的值)
- 向 Cloudwatch 发送 PutMetricData
符合这些需求的 IAM 策略的模板版本如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": [
"${collector_stream_out_good}"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:PutRecord",
"kinesis:PutRecords"
],
"Resource": [
"${enricher_stream_out_good}",
"${enricher_stream_out_bad}"
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": [
"${enricher_state_table}"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
}
我已经撰写了一篇
博客文章,涵盖了Stream Enrich和其他Snowplow组件所需的IAM权限,因为在Snowplow文档中,对于确切所需权限的解释很少或者根本不存在。
希望这可以帮到你!