Kinesis Stream connection point properties

Configure a Kinesis Stream connection point to connect to an AWS Kinesis stream. You can authenticate by using IAM credentials or an IAM role.

Configuring a Kinesis Stream connection point

Use this procedure to define the connection and select the authentication method.

  1. Select Connect > Connection Point.
  2. Click Add new connection point.
  3. Click the Connection tab.
  4. Select the region where the Kinesis stream is located.
  5. Specify the stream name in the Stream Name field.
  6. Select an option from the Authentication Type field.
    IAM Credentials
    Use an access key and secret key.
    IAM Role
    Use an IAM role with an ARN and external ID.
  7. Click Test.
    The test result indicates whether the connection details are valid.

Configuring IAM credentials

Use IAM credentials to authenticate with an access key and secret key.

  1. Select IAM Credentials in the Authentication Type field.
  2. Import the credentials.csv file exported from AWS or specify the credentials manually.
    The Access Key and Secret Key fields are populated automatically when you import the file. You can also specify these values manually.

Configuring an IAM role

Use an IAM role to allow the application to access AWS resources without storing access keys and secret keys.

  1. Select IAM Role in the Authentication Type field.
  2. Specify this information:
    Role ARN
    Specify the Amazon Resource Name of the IAM role that grants access to the Kinesis stream. Use this format: arn:<PARTITION>:iam::<CUSTOMER_ACCOUNT>:role/<ROLE_NAME>.
    External ID
    Specify the external ID that is configured in the IAM role trust policy. The external ID must match the value in the sts:ExternalId condition.
  3. Use an external ID value that meets the requirements.
    • Use this format: Infor-ionce-tenant-<YOUR_TENANT_ID>-<ENV>-is-allowed-<YOUR_SECRET>
    • Use at least 16 characters.
    • Use letters, numbers, and supported special characters.
    • Use an unguessable value.
    • Do not share the external ID.

Creating an IAM role

Create an IAM role in AWS with the minimum permissions required to access the Kinesis stream.

  1. Create an IAM role in your AWS account.

    Grant only the permissions required by the application, for example read access to a specific Kinesis stream.

  2. Configure the trust policy.

    Include these Infor accounts as trusted principals to allow the sts:AssumeRole action:

    • ION MT account – Production multi-tenant account used for role assumption
    • ION X account – Account used for containerization transition
    • Hybrid (ICC) account – Used for hybrid and on-premises integrations

    Contact Infor Support to obtain:

    • AWS account IDs for your environment
    • Principal ARN patterns for your application
  3. Define the trust policy.

    Use this example as a reference:

    							{
							"Version": "2012-10-17",
							"Statement": [
							{
							"Effect": "Allow",
							"Principal": {
							"AWS": [
							"arn:aws:iam::<ION_MT_ACCOUNT_ID>:root",
							"arn:aws:iam::<ION_X_ACCOUNT_ID>:root",
							"arn:aws:iam::<ICC_ACCOUNT_ID>:root"
							]
							},
							"Action": "sts:AssumeRole",
							"Condition": {
							"ArnLike": {
							"aws:PrincipalArn": [
							"arn:aws:iam::<ION_MT_ACCOUNT_ID>:role/ionce-*",
							"arn:aws:iam::<ION_X_ACCOUNT_ID>:role/ionce-*",
							"arn:aws:iam::<ICC_ACCOUNT_ID>:role/ionce-*"
							]
							},
							"StringEquals": {
							"sts:ExternalId": "Infor-ionce-tenant-<TENANT_ID>-is-allowed-<YOUR_SECRET>"
							}
							}
							}
							]
							}
    Note: 

    Replace placeholder values with the values provided by Infor Support.

    Remove all comment lines before applying the policy. AWS IAM does not support comments in policies.

  4. Configure the external ID.

    The external ID adds an additional verification layer to prevent unauthorized access.

    Use this format:

    Infor-ionce-tenant-<YOUR_TENANT_ID>-<ENV>-is-allowed-<YOUR_SECRET>

    • The Infor-owned portion identifies the tenant and application
    • The customer-defined portion must be at least 16 characters
    • Use letters, numbers, and supported special characters
    • Use an unguessable value
    • Do not share the external ID
  5. Review security safeguards.
    Safeguard Benefit
    External ID required Prevents unauthorized role assumption
    Session policy on every call Limits permissions to required actions
    Trust policy conditions Controls which principals can assume the role
    Short-lived credentials Reduces risk of credential leakage
    Pre-flight validation Rejects requests without a valid external ID
    CloudTrail audit logging Logs all role assumptions