Adding IAM permissions

Now that we have our Kinesis streams set up, we need to add an IAM policy to the Cognito Identity Pool so that we can give authenticated and unauthenticated identities the ability to send data to the Kinesis stream.

  • In the AWS Management Console, select the IAM service.

  • On the left-hand side, select Roles and find the IAM role that was created when you set up the Identity Pool. It should start with Cognito and look similar to this:

  • There are two roles that we are going to need to edit:

    • Cognito_PeculiarWizardsIdentityPoolAuth_Role
    • Cognito_PeculiarWizardsIdentityPoolUnauth_Role
  • Click into one of the roles and hit Add inline policy.

  • At the top, select JSON. We are going to add a custom JSON policy. Copy and paste the following policy into the body of the policy editor:

{
	"Version": "2012-10-17",
	"Statement": [
		{	
			"Effect": "Allow",
			"Action": [
				"kinesis:PutRecord",
				"kinesis:PutRecords"
			],
			"Resource": [
				"COPY-ARN-FOR-THE-SOLUTION-STREAM-HERE"
			]
		}
	]
}

Make sure to copy the ARN (Amazon Resource Name) of your Kinesis Data Stream and paste where it says "COPY-ARN-FOR-THE-SOLUTION-STREAM-HERE". If you are using the Game Analytics Pipeline solution, put the ARN of the Kinesis stream that is spun up using CloudFormation (outside of the scope of this workshop).

  • You can find the ARN for the Kinesis Data Streams by going to the Kinesis console, finding your data stream, and clicking into it to view details. You will see the ARN in the stream details section.

  • This role will allow entities to call both PutRecord and PutRecords on the Kinesis Stream resource. It should look similar to this

  • Select Review policy

  • Give the policy a name and hit Create policy

  • Repeat the same steps for both roles:

    • Cognito_PeculiarWizardsIdentityPoolAuth_Role
    • Cognito_PeculiarWizardsIdentityPoolUnauth_Role