(aws_cdk.aws_dynamodb): reading `table_arn` results in `dynamoDb:describeTable` call with `...cfn-exec-role...` role
See original GitHub issueThere is a deployment role used for the deployment process of the entire infrastructure that is assumed before cdk deploy
step using aws sts assume-role
.
After introducing reading table_arn
property between stacks this process got an error. It turns out that there was a call to dynamoDb:describeTable
made with an internal CDK role ...cfn-exec-role...
which does not have access permissions and it results in AccessDenied. User doesn't have permission to call dynamoDb:describeTable
error.
Reproduction Steps
import aws_cdk.aws_dynamodb as ddb
import aws_cdk.core as cdk
class DynamoDBStack(cdk.Stack):
def __init__(
self, scope: cdk.Construct, id: str, **kwargs
) -> None:
super().__init__(scope, id, **kwargs)
self.table = ddb.Table(
self, "ddb_table",
table_name="MyTable",
partition_key=ddb.Attribute(name="key1", type=ddb.AttributeType("STRING")),
sort_key=ddb.Attribute(name="key2", type=ddb.AttributeType("STRING")),
)
def get_table_arn(self):
return self.table.table_arn
The call from another stack is then enough to cause the issue:
import aws_cdk.core as cdk
from dynamodb import DynamoDBStack
from aws_iam_policies import create_dynamodb_table_read_policy
class IAMStack(cdk.Stack):
def __init__(
self, scope: cdk.Construct, id: str, ddb_stack: DynamoDBStack, **kwargs
) -> None:
super().__init__(scope, id, **kwargs)
create_dynamodb_table_read_policy(scope, ddb_stack.get_table_arn())
Contents of the cdk.json
:
{
"app": "python3 app.py",
"context": {
"@aws-cdk/core:enableStackNameDuplicates": "true",
"aws-cdk:enableDiffNoFail": "true",
"@aws-cdk/core:stackRelativeExports": "true",
"@aws-cdk/aws-ecr-assets:dockerIgnoreSupport": true,
"@aws-cdk/aws-secretsmanager:parseOwnedSecretName": true,
"@aws-cdk/aws-kms:defaultKeyPolicies": true,
"@aws-cdk/aws-s3:grantWriteWithoutAcl": true
}
}
What did you expect to happen?
Get ARN of DynamoDB table from another stack.
What actually happened?
AccessDenied. User doesn't have permission to call dynamoDb:describeTable
Environment
- CDK CLI Version : 1.119.0
- Framework Version:
- Node.js Version:
- OS : Ubuntu-x86_64
- Language (Version): Python 3.7
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Comments:11 (6 by maintainers)
Top Results From Across the Web
aws-cdk/aws-dynamodb module - AWS Documentation
DynamoDB supports two billing modes: PROVISIONED - the default mode where the table and global secondary indexes have configured read and write capacity....
Read more >DescribeTable in dynamobDB grantReadWriteData and ...
I would expect it to only contain the minimal set of permissions needed to read table data . We also have an API...
Read more >How to use the @aws-cdk/aws-dynamodb.Table function in ...
To help you get started, we've selected a few @aws-cdk/aws-dynamodb.Table examples, based on popular ways it is used in public projects.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Interestingly enough, when I tried to reproduce the issue running
cdk deploy --verbose
and with version 1.121.0, I was not able to. We can close this issue and reopen it if it ever happens again I guess.⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.