Documentation / Product / Integrations / Amazon Web Services / AWS Kinesis

AWS Kinesis Authorization

If you have not already done so, you will need to set up an AWS Kinesis account before you begin the process described below.

You can authorize the integration in one of two ways:

Providing your AWS Keys

Follow the steps below to authorize AWS with Lytics using your AWS keys. For more information on obtaining your keys, see Amazon's documentation on secret and access keys.

  1. Navigate to Amazon Web Services in the Integrations section of Lytics. aws
  2. Navigate to Authorizations.
  3. Click Add new authorization.
  4. Select Enter AWS Keys.
  5. Enter your Access Key and Secret Key.
  6. In the Description box, enter a name for your authorization.
  7. Click Authorize. authorization


Lytics Delegated Authorization for Export

Below is a set of instructions for how to set up delegated authorization. This method of doing authorization is more complicated than the AWS Keys method but some people prefer it:

  1. Set up Policy and Roles in your AWS Kinesis account.
  2. Contact Lytics support with your role Amazon Resource Name (ARN) that we grant permission to.

Here are related Amazon reference documents:

Stream Name: The name of the Kinesis stream that you will be writing to. It can be any alphanumeric string plus underscores, periods, or dashes.

This example shows lytics_triggers_stream.

# 1 Setup AWS CLI Permissions, change name of "my_aws_account"
# Assumes you have setup the AWS cli https://aws.amazon.com/cli/
aws configure --profile=my_aws_account
> ....

# 2 Ensure we have a kinesis stream, Create stream if need be
aws kinesis list-streams --profile=my_aws_account
aws kinesis describe-stream --stream-name lytics_triggers_stream --profile=my_aws_account
aws kinesis create-stream --stream-name lytics_triggers_stream --shard-count=1 --profile=my_aws_account
# cleanup if needed
aws kinesis delete-stream --stream-name lytics_triggers_stream --profile=my_aws_account

# 3 replace your AWS account-id below wherever you see 111111111

# 3a Create a Role in NonLytics account that allows a lytics user to
# assume identity/permission inside this account in order to write to kinesis.
aws iam list-roles --profile=my_aws_account --path-prefix="/Lytics"
aws iam create-role --profile=my_aws_account --role-name="LyticsWriteToKinesis" \
  --path="/Lytics/WriteToKinesis/" \
  --assume-role-policy-document '{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": { 
      "AWS": "arn:aws:iam::358991168639:user/gce1"
    },
    "Action": "sts:AssumeRole"
  }
}'



# 3b NonLytics Account: Create A policy allowing access to a specific Kinesis stream
aws iam list-policies --profile=my_aws_account  --scope=Local
aws iam get-policy --profile=my_aws_account --policy-arn="arn:aws:iam::111111111:policy/KinesisAssumeWrites"
aws iam create-policy --profile=my_aws_account \
  --policy-name KinesisAssumeWrites --policy-document '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kinesis:PutRecord",
        "kinesis:PutRecords"
      ],
      "Resource": [
        "arn:aws:kinesis:us-west-2:111111111:stream/lytics_triggers_stream"
      ]
    }
  ]
}'

# 3c attach that new policy to previously created role
aws iam attach-role-policy --profile=my_aws_account \
  --role-name LyticsWriteToKinesis \
  --policy-arn "arn:aws:iam::111111111:policy/KinesisAssumeWrites"

# 3d view that role policy
aws iam get-role-policy --profile=my_aws_account --role-name LyticsWriteToKinesis --policy-name KinesisAssumeWrites

Cleanup

# kinesis streams cost $ when idle, so cleanup if test
aws kinesis delete-stream --stream-name lytics_triggers_stream --profile=my_aws_account


# detach role-policy
aws iam detach-role-policy --profile=my_aws_account \
  --role-name LyticsWriteToKinesis \
  --policy-arn "arn:aws:iam::111111111:policy/KinesisAssumeWrites"



# if you need to delete
aws iam list-role-policies --profile=my_aws_account --role-name="LyticsWriteToKinesis"
aws iam delete-role-policy --profile=my_aws_account --role-name="LyticsWriteToKinesis" --policy-name="simulate-inbound-lytics" 
aws iam delete-role --profile=my_aws_account --role-name "LyticsWriteToKinesis"

aws iam list-policies --profile=my_aws_account  --scope=Local
aws iam get-policy --profile=my_aws_account --policy-arn="arn:aws:iam::111111111:policy/KinesisAssumeWrites"
aws iam delete-policy --profile=my_aws_account --policy-arn="arn:aws:iam::111111111:policy/KinesisAssumeWrites"


aws iam delete-role --profile=my_aws_account --role-name "LyticsWriteToKinesis"

Contact Lytics to grant permission

Lytics will need the role Amazon Resource Name (ARN) from your AWS account to grant permission to. Contact Lytics Support with the ARN. It will look like this example if you followed the instructions above.

arn:aws:iam::111111111:role/Lytics/WriteToKinesis/LyticsWriteToKinesis

You are now ready to run an AWS Kinesis workflow.