2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
2
In general, it is recommended to use the grant function rather than granting permission directly from the cdk. for example,
const lambdaFunc = new lambda.Function(....); const ddbTable = new ddb.Table(...); ddbTable.grantReadData(lambdaFunc); ddbTable.grantReadWriteData(lambdaFunc);
답변함 2년 전
1
For this you can use the add_role_to_policy function:
from aws_cdk import aws_lambda as _lambda
from aws_cdk.aws_lambda_python import PythonFunction
from aws_cdk import aws_iam as iam
my_function = PythonFunction(
#function logic
)
my_function.add_to_role_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
'dynamodb:GetItem',
],
resources=[
'TABLE_ARN',
],
))
The above policy uses Python and grants the Lambda GetItem permissions on the DynamoDB table which ARN you provide.
More info can be found here
Where is this recommended? It seems its not as granular as adding a policy to the function where you can refine the permission policy to API/Resource? Instead, your example allows all API's against the table which is quite permissive.
If you were to use this approach it would be best if you use the
grantStream(grantee, ...actions)function where you can be more restrictive with your permissions.