bug: kinesis get-resource-policy & put-resource-policy giving AccessDenied exception #12488
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
I have some Terraform that I use to provision resources in AWS that is working. I'm trying to get it to work in a Localstack Pro environment. I'm running into an issue when attempting to create a kinesis resource policy. The terraform is simple, and as I mentioned before, works against AWS.
resource "aws_kinesis_resource_policy" "stream_policy" {
resource_arn = aws_kinesis_stream.kinesis_stream.arn
policy = data.aws_iam_policy_document.kinesis_data_stream_policy.json
}
When I run it, I get the following error:
Error: creating Kinesis Resource Policy (arn:aws:kinesis:us-east-1:000000000000:stream/sample-table-dynamodb-stream)
with module.dynamodb.aws_kinesis_resource_policy.stream_policy,
on ../modules/dynamodb/main.tf line 93, in resource "aws_kinesis_resource_policy" "stream_policy":
93: resource "aws_kinesis_resource_policy" "stream_policy" {
operation error Kinesis: PutResourcePolicy, https response error StatusCode: 400, RequestID: c444581a-fed0-471d-9e98-34dbc0b1ef59, AccessDeniedException: Unable to determine service/operation name to be authorized
Don't thinks it's a terraform issue, because if I attempt the action from the commandline:
awslocal kinesis put-resource-policy \
--resource-arn "arn:aws:kinesis:us-east-1:000000000000:stream/sample-table-dynamodb-stream" \
--policy '{ \
"Version": "2012-10-17", \
"Statement": [ \
{ \
"Effect": "Allow", \
"Principal": { \
"AWS": "arn:aws:iam::000000000000:role/service-role" \
}, \
"Action": [ \
"kinesis:DescribeStreamSummary", \
"kinesis:GetShardIterator", \
"kinesis:GetRecords", \
"kinesis:ListShards" \
], \
"Resource": "arn:aws:kinesis:us-east-1:000000000000:stream/sample-table-dynamodb-stream" \
} \
] \
}'
I get the same error:
An error occurred (AccessDeniedException) when calling the PutResourcePolicy operation: Unable to determine service/operation name to be authorized
Even calling the Get-resource-policy gives me an AccessDenied
awslocal kinesis get-resource-policy --resource-arn arn:aws:kinesis:us-east-1:000000000000:stream/sample-table-dynamodb-stream
An error occurred (AccessDeniedException) when calling the GetResourcePolicy operation: Unable to determine service/operation name to be authorized
awslocal kinesis describe-stream-summary works just fine. I can see that my stream has been created.
Expected Behavior
I would expect put-resource-policy to run successfully, and get-resource-policy to return the policy document
How are you starting LocalStack?
With the localstack script
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
DEBUG=1 localstack start -d
Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)
awslocal kinesis create-stream --stream-name my-test-stream
awslocal kinesis describe-stream --stream-name my-test-stream
awslocal kinesis put-resource-policy \
--resource-arn "arn:aws:kinesis:us-east-1:000000000000:stream/my-test-stream" \
--policy '{ \
"Version": "2012-10-17", \
"Statement": [ \
{ \
"Effect": "Allow", \
"Principal": { \
"AWS": "arn:aws:iam::000000000000:role/svc-eos-service-sessiontracker-ci" \
}, \
"Action": [ \
"kinesis:DescribeStreamSummary", \
"kinesis:GetShardIterator", \
"kinesis:GetRecords", \
"kinesis:ListShards" \
], \
"Resource": "arn:aws:kinesis:us-east-1:000000000000:stream/my-test-stream" \
} \
] \
}'
awslocal kinesis get-resource-policy --resource-arn arn:aws:kinesis:us-east-1:000000000000:stream/my-test-stream
Environment
- OS: Mac Sequoia 15.4
- LocalStack:
LocalStack version: 4.3.1.dev6:eaadc0a8e
LocalStack Docker image sha:
sha256:9acbec03040b0faa7d6d36093809b5c7776decfce73dafdc7913b3fab34850cb
LocalStack build date:
LocalStack build git hash:Anything else?
No response