By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Python CDK DynamoDB Table.grant_read_write doesn't include PartiQL permissions.

0

I am using the python CDK to grant a lambda function permissions to a DynamoDB table.

if I use: my_table.grant_read_write(my_lambda) the lambda fails with error "no identity-based policy allows the dynamodb:PartiQLUpdate action'"

however, if I use: my_table.grant_full_access(my_lambda) the lambda succeeds and I can confirm the updates were made.

I don't want to grant full access. I can add a inline policy to the lambda, but I am trying to understand why the builtin method doesn't work.

Why doesn't the read/write permissions cover the partiQL statements?

Topics
ServerlessComputeDatabaseAWS Cloud Development Kit (CDK)
Tags
AWS LambdaAmazon DynamoDBAWS Cloud Development Kit (CDK)
Language
English
levi
asked 2 months ago89 views
1 Answer
1

That is the current expected behavior:

  • BatchGetItem

  • GetRecords

  • GetShardIterator

  • Query

  • GetItem

  • Scan

  • BatchWriteItem

  • PutItem

  • UpdateItem

  • DeleteItem

Whereas grantFullAccess simply allows all: Permits all DynamoDB operations ("dynamodb:*") to an IAM principal.

In order to allow PartiQL operations you can do the following:

table.grant(my_lambda, 'dynamodb:PartiQLSelect');

Moreover, you can contribute to CDK to make amends as it is open source, or simply create a feature request on the GitHub: https://github.com/aws/aws-cdk

profile pictureAWS
EXPERT
Leeroy Hannigan
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content