Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DynamoDB Global Table's grant*() gives permission only to regional resources

See original GitHub issue

new Table(...).grant(grantee, ...actions), new Table(...).grantFullAccess(grantee), new Table(...).grantReadData(grantee) and new Table(...).grantReadWriteData(grantee) grant access to the table and its indexes only in the region in which the table is created, even when replicationRegions is not undefined.

Reproduction Steps

Create a global table in a stack with us-east-1 region:

table1 = new dynamodb.Table(this, 'Table1', {
...
...
tableName: 'Table1', // You need to share this table across environments
replicationRegions: ['us-west-1']
});

Share the above table to a different stack with us-west-1 region.
In the us-west-1 stack, create a lambda function and grant it the read permission of the global table.

myLambda = new lambda.Function(...);

table1.grantWriteAccess(myLambda);

Unfortunately, the myLambda won’t be able to read from the same region (us-west-1) table1 replica because of wrong iam permissions. If you look at the service role for myLambda, you’ll find this policy statement:

{
            "Action": [
                "dynamodb:Query",
               ...
               ...
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:<account no.>:table/Table1",
               "arn:aws:dynamodb:us-east-1:<account no.>:table/Table1/index/*"
            ],
            "Effect": "Allow"
        }

After finding replicationRegions, CDK should either replace us-east-1 with * or add more regional arns to Resource.

I also can’t modify the table1 arn to create my own iam policy statement.

table1.tableArn.replace('us-east-1', '*');

This doesn’t work because tableArn is not a string at runtime even if I give physical name to the table.

I had to manually edit policy statements in production which has created a drift in CloudFormation Stack.

Error Log

No error log. Human introspection is needed.

Environment

CLI Version : 1.32.0
Framework Version: 1.32.0
OS : Windows 10 Pro
Language : Typescript

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Comments:15 (15 by maintainers)

Top GitHub Comments

1reaction

skinny85commented, Apr 15, 2020

A little besides the issue, but cross-region/account tokens are definitely possible 😃. Through something called physical names (set here in DynamoDB, and later used here).

0reactions

jogoldcommented, Apr 15, 2020

it’s not granting read access to indexes of the table as before.

Good point.

Top Results From Across the Web

Using IAM with global tables - Amazon DynamoDB

The following IAM policy grants permissions to allow the CreateGlobalTable action to create a global table named Customers with replicas in two Regions....

AWS Lambda cannot Scan DyanmoDB table even when ...

The region on the error is us-west-2 but the region on the role permissions is eu-west-2. It seems that you hardcoded the region...

You should always use DynamoDB global tables now

If you deploy your application template in multiple regions, you can use conditions to only create the resource in a single region.

Add DynamoDB Permission To Lambda [How-To Guide]

Not only that, but you can also specify permissions to certain ... Giving a Lambda Function Access to a DynamoDB Table - What...

IAM Actions defined by Amazon DynamoDB

Action Description Used By dynamodb:CreateTableReplica Grants permission to add a new replica table. ‑ dynamodb:DescribeImport Grants permission to describe an existing import. Dynamo... dynamodb:GetShardIterator Grants permission...