Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

aws_dynamodb: `grant*Data()` should include the `dynamodb:DescribeTable` permission

See original GitHub issue

Description

Table should have a grant* method that grants dynamodb:DescribeTable.

Use Case

I recently encountered a case where I need a lambda to inspect the key schema for the table it is putting items to, but it had AccessDenied when attempting to do so, with the stated error that it was not authorized to perform dynamodb:DescribeTable.

Proposed Solution

I’m thinking it is reasonable to add dynamodb:DescribeTable to the grantReadWriteData() method and I’m happy to work up a pull request to do so. Alternately, I can add a grantDescribeTable() or something along those lines, if that is your preference. I would just start with a pull request but I’m not sure what direction you would prefer me to go, especially since this change would add an action to existing resources - not sure if that counts as breaking or not.

Other information

No response

Acknowledge

I may be able to implement this feature request
This feature might incur a breaking change

Issue Analytics

State:
Created 2 years ago
Comments:8 (7 by maintainers)

Top GitHub Comments

2reactions

chris-smith-zocdoccommented, Feb 24, 2022

I put up a fix @jusdino

Hopefully this is what everyone had in mind

2reactions

chris-smith-zocdoccommented, Feb 23, 2022

@skinny85 I’d like to make the argument that dynamodb:DescribeTable should be added to all of the data grant functions

grantReadWriteData
grantReadData
grantWriteData

because dynamodb:DescribeTable is used by the HigherLevel DDB client in both .net and java

This means applications that use the high level client need to have two lines in their cdk application instead of one.

myTable.grantReadWriteData(myEcsTaskRole);
myTable.grant(myEcsTaskRole, 'dynamodb:DescribeTable');

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HigherLevelInterfaces.html

pseudo .net code that results in an access error because dynamodb:DescribeTable is missing

var client = new AmazonDynamoDBClient(...);
var context = new DynamoDBContext(client, new DynamoDBContextConfig { 
    ...
});

var item = await context.LoadAsync<MyItem>("my-key");

Top Results From Across the Web

Amazon DynamoDB: Allows access to a specific table

This example shows how you might create an identity-based policy that allows full access to the MyTable DynamoDB table. This policy grants the...

Amazon DynamoDB - DescribeTable - IAM - cloudonaut

Returns information about the table, including the current status of the table, when it was created, the primary key schema, and any indexes...

Amazon DynamoDB - Datadog Docs

Add these permissions to your Datadog IAM policy in order to collect Amazon DynamoDB metrics: dynamodb:ListTables : Used to list available DynamoDB tables....

Amazon DynamoDB - Rockset

arn:aws:dynamodb:us-west-2:*:table/*/stream/*. Note: You must also include the corresponding /stream/* permissions with the above, for live sync to work ...

AWS DynamoDB - Read Data from a Table - GeeksforGeeks

Scan – It is similar to the query. The only difference is that it doesn't have any attribute by default for searching. To...