Timestream IAM Policy

Question

I would like to create an IAM policy bound to an IAM role that allows Lambda permissions to the WriteRecords API scoped to an individual table. I am using the IAM policy below from the Timestream documentation but receive an 'access denied' for the WriteRecords API unless the resource is scoped to "*" which is not what I require. I have copied the ARN from the Timestream console to ensure there are no character errors, but this seems to make no difference. I would appreciate any assistance so that I can correctly scope the security of my solution.

My current policy follows this example:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "timestream:WriteRecords"
            ],
            "Resource": [
                "arn:aws:timestream:us-east-1::database/sampleDB/table/DevOps"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "timestream:DescribeEndpoints"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
```
https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_id-based-policy-examples.html

Answer

In Timestream databases and tables can be used in the Resource element of IAM permissions. Some Timestream actions, such as those for creating resources, cannot be performed on a specific resource. In those cases, you must use the wildcard (*).

Please refer : https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_service-with-iam.html

Answer

Thanks for the info. Can you explain why the policy above does not work? This is from the official Timestream docs but does not provide access to the Table. This seems either like a documentation and/or product bug.

Timestream IAM Policy

Relevant content