2 Answers
- Newest
- Most votes
- Most comments
2
In general, it is recommended to use the grant function rather than granting permission directly from the cdk. for example,
const lambdaFunc = new lambda.Function(....); const ddbTable = new ddb.Table(...); ddbTable.grantReadData(lambdaFunc); ddbTable.grantReadWriteData(lambdaFunc);
answered 2 years ago
1
For this you can use the add_role_to_policy
function:
from aws_cdk import aws_lambda as _lambda
from aws_cdk.aws_lambda_python import PythonFunction
from aws_cdk import aws_iam as iam
my_function = PythonFunction(
#function logic
)
my_function.add_to_role_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
'dynamodb:GetItem',
],
resources=[
'TABLE_ARN',
],
))
The above policy uses Python and grants the Lambda GetItem
permissions on the DynamoDB table which ARN you provide.
More info can be found here
Relevant content
- asked 7 months ago
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
Where is this recommended? It seems its not as granular as adding a policy to the function where you can refine the permission policy to API/Resource? Instead, your example allows all API's against the table which is quite permissive.
If you were to use this approach it would be best if you use the
grantStream(grantee, ...actions)
function where you can be more restrictive with your permissions.