Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(dynamodb): grantReadData() should always grant permissions to secondary indexes

See original GitHub issue

Reproduction Steps


Then we query on a secondary index on myTable and get


What did you expect to happen?

Expected the lambda to be able to query the table, including on secondary indices.

What actually happened?



  • CDK CLI Version : v1.89.0
  • Framework Version: v1.89.0
  • Node.js Version: v15.10.0
  • OS : MacOS
  • Language (Version): TypeScript (4.2.2)


Resolved / workaround by adding

      new iam.PolicyStatement({
        actions: ['dynamodb:Query'],
        resources: [`${myTable.arn}/index/*`],

The fix probably belongs somewhere near

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:10
  • Comments:16 (9 by maintainers)

github_iconTop GitHub Comments

pszabopcommented, May 13, 2021

Note that if you import dynamodb using fromTableAttributes() the problem probably fixes itself both for lambda and appsync (appsync I just tested)


    const recipeTable = dynamodb.Table.fromTableAttributes(this, 'importedRecipeTable', {
      tableArn: recipeTableArn.toString(),  // ARN recieved from another stack's output 
      localIndexes: [ 'byName' ],  // should be from another stack's output, hardcoded for quick verification
    }) as dynamodb.Table;

Note my reason for separating databases and APIs/non-storage deployments is lifetime: It’s okay to blow destroyt stateless stuff like APIs in case of re-entrancy bugs in CDK or CloudFormation, but really bad to have to destroy databases and recreate them.

From what I can tell, sharing objects does not let you have independent lifetimes for databases and APIs, but export/import does.

skinny85commented, Mar 20, 2021

I’m not completely opposed to this idea @ahammond . I’m turning this into a feature request.

PRs are welcome, as always 😉.

Read more comments on GitHub >

github_iconTop Results From Across the Web

IAM policy to grant access to a specific DynamoDB table and ...
The following policy grants permissions for data modification actions on a DynamoDB table called Books and all of that table's indexes.
Read more >
awsdynamodb - Go Packages
Grant. Permits an IAM Principal to list all DynamoDB Streams. ... CreationStack() *[]*string // Global secondary indexes to be created on the global...
Read more >
DynamoDB: Efficient Indexes - Medium
This post will aim to present some use cases for DynamoDB secondary indexes and some key considerations in creating and using indexes efficiently....
Read more >
Granting permissions | AWS CDK Workshop
Allow Lambda to read/write our DynamoDB table # Let's give our Lambda's execution role permissions to read/write from our table. Go back to...
Read more >
DynamoDB - Global Secondary Indexes - Tutorialspoint
Projections consist of an attribute set copied from table to secondary index. A Projection always occurs with the table partition key and sort...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found