fix(dynamodb): unsupported actions added to table resource policy #36228
Conversation
github-actions
bot
added
bug
aws-cdk-automation
added
the
pr/needs-maintainer-review
rix0rrr
changed the title
| */ | ||
| public readData(grantee: iam.IGrantable): iam.Grant { | ||
| const actions = [...perms.READ_DATA_ACTIONS, perms.DESCRIBE_TABLE]; | ||
| const actions = [...perms.RESOURCE_READ_DATA_ACTIONS, perms.DESCRIBE_TABLE]; |
There was a problem hiding this comment.
Can you attach a documentation link which talks about this ?
Mainly a documentation link that talks about the specific actions here being segregated into resource and principal only are limited to their respective counterparts.
There was a problem hiding this comment.
I couldn't really find an official documentation that specifies which action is supported by resources and which is only supported by the principal. I only know by deploying these 2 actions that they fail to be attached to the resource.
There was a problem hiding this comment.
This should be okay since READ_STREAM_DATA_ACTIONS also contains dynamodb:DescribeStream which is missing from these set of read permissions
This change should be backward compatible with existing setups and avoid giving full stream read accesses to users due to missing permissions
Merge Queue Status
✅ The pull request has been merged This pull request spent 38 minutes 53 seconds in the queue, including 38 minutes 45 seconds waiting for CI. Required conditions to merge
|
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
4 participants
Issue # (if applicable)
Closes #32230.
Reason for this change
TableandTableV2were adding actionsGetShardItemandGetRecordto the table's resource policy for cross-account resources, service and account principals. The issue is that these actions are not supported in the resource policies. Hence creating a deployment failureDescription of changes
Separated these actions to only be added to the IAM principal, but not the resource for
TableandTableV2constructs.Describe any new or updated permissions being added
No new permissions are added. The
GetShardItemandGetRecordpermissions are removed for resource policies.Description of how you validated changes
Unit and Integration tests have been modified. The integration test failed to deploy before the fix, but now it succeeds after this fix.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license