aws_dynamodb: `grant*Data()` should include the `dynamodb:DescribeTable` permission
See original GitHub issueDescription
Table should have a grant*
method that grants dynamodb:DescribeTable
.
Use Case
I recently encountered a case where I need a lambda to inspect the key schema for the table it is putting items to, but it had AccessDenied when attempting to do so, with the stated error that it was not authorized to perform dynamodb:DescribeTable
.
Proposed Solution
I’m thinking it is reasonable to add dynamodb:DescribeTable
to the grantReadWriteData()
method and I’m happy to work up a pull request to do so. Alternately, I can add a grantDescribeTable()
or something along those lines, if that is your preference. I would just start with a pull request but I’m not sure what direction you would prefer me to go, especially since this change would add an action to existing resources - not sure if that counts as breaking or not.
Other information
No response
Acknowledge
- I may be able to implement this feature request
- This feature might incur a breaking change
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (7 by maintainers)
Top GitHub Comments
I put up a fix @jusdino
Hopefully this is what everyone had in mind
@skinny85 I’d like to make the argument that
dynamodb:DescribeTable
should be added to all of the data grant functionsbecause
dynamodb:DescribeTable
is used by the HigherLevel DDB client in both .net and javaThis means applications that use the high level client need to have two lines in their cdk application instead of one.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HigherLevelInterfaces.html
pseudo .net code that results in an access error because
dynamodb:DescribeTable
is missing