Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(dynamodb): grantReadData() should always grant permissions to secondary indexes
See original GitHub issueReproduction Steps
myTable.grantReadData(myLambda);
Then we query on a secondary index on myTable and get
AccessDeniedException
What did you expect to happen?
Expected the lambda to be able to query the table, including on secondary indices.
What actually happened?
AccessDeniedException
Environment
- CDK CLI Version : v1.89.0
- Framework Version: v1.89.0
- Node.js Version: v15.10.0
- OS : MacOS
- Language (Version): TypeScript (4.2.2)
Other
Resolved / workaround by adding
myLambda.addToRolePolicy(
new iam.PolicyStatement({
actions: ['dynamodb:Query'],
resources: [`${myTable.arn}/index/*`],
}),
);
The fix probably belongs somewhere near https://github.com/aws/aws-cdk/blob/0ea4b19afd639541e5f1d7c1783032ee480c307e/packages/%40aws-cdk/aws-dynamodb/lib/table.ts#L906
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:10
- Comments:16 (9 by maintainers)
Top Results From Across the Web
IAM policy to grant access to a specific DynamoDB table and ...
The following policy grants permissions for data modification actions on a DynamoDB table called Books and all of that table's indexes.
Read more >awsdynamodb - Go Packages
Grant. Permits an IAM Principal to list all DynamoDB Streams. ... CreationStack() *[]*string // Global secondary indexes to be created on the global...
Read more >DynamoDB: Efficient Indexes - Medium
This post will aim to present some use cases for DynamoDB secondary indexes and some key considerations in creating and using indexes efficiently....
Read more >Granting permissions | AWS CDK Workshop
Allow Lambda to read/write our DynamoDB table # Let's give our Lambda's execution role permissions to read/write from our table. Go back to...
Read more >DynamoDB - Global Secondary Indexes - Tutorialspoint
Projections consist of an attribute set copied from table to secondary index. A Projection always occurs with the table partition key and sort...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Note that if you import dynamodb using
fromTableAttributes()the problem probably fixes itself both for lambda and appsync (appsync I just tested)example:
Note my reason for separating databases and APIs/non-storage deployments is lifetime: It’s okay to blow destroyt stateless stuff like APIs in case of re-entrancy bugs in CDK or CloudFormation, but really bad to have to destroy databases and recreate them.
From what I can tell, sharing objects does not let you have independent lifetimes for databases and APIs, but export/import does.
I’m not completely opposed to this idea @ahammond . I’m turning this into a feature request.
PRs are welcome, as always 😉.