aws-glue-schema-registry: GetSchemaVersionRequest in AWSSchemaRegistryClient does not specify a registry name

Hi.

I’ve been trying to figure out the minimum permissions required to set up Glue schema registry based serialization/deserialization (avro) as we consume/produce events to kafka.

Realized through line by line debugging that the getSchemaVersionRequest does not specify a registry name (https://github.com/awslabs/aws-glue-schema-registry/blob/master/common/src/main/java/com/amazonaws/services/schemaregistry/common/AWSSchemaRegistryClient.java#L222). This requires me to add the following wide permissions for my application to work.

        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "glue:GetSchemaVersion"
            ],
            "Resource": [
                "*"
            ]
        }

I would like to instead just give such permission to the specific registry I am using right now.

Is it possible to specify a registry name in this request?

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 10
  • Comments: 20 (6 by maintainers)

Most upvoted comments

+1

+6
AmsterdamFilho on Apr 6, 2023

Once I change it to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "glue:GetRegistry",
                "glue:CreateSchema",
                "glue:UpdateSchema",
                "glue:GetSchema",
                "glue:ListSchemas",
                "glue:RegisterSchemaVersion",
                "glue:GetSchemaByDefinition",
                "glue:GetSchemaVersion",
                "glue:GetSchemaVersionsDiff",
                "glue:ListSchemaVersions",
                "glue:CheckSchemaVersionValidity",
                "glue:PutSchemaVersionMetadata"
            ],
            "Resource": [
                "arn:aws:glue:*:----------:schema/*",
                "arn:aws:glue:us-west-2:----------:registry/demo-shared"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "glue:GetSchemaVersion"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

it works

+5
dexter-mh-lee on Aug 12, 2021
Read more comments on GitHub
← aws-glue-data-catalog-client-for-apache-hive-metastore: Not able to query glue/Athena views ['java.lang.IllegalArgumentException: Can not create a Path from an empty string;']
aws-glue-schema-registry: Http client conflicts →