Using a ConditionExpression in UpdateItem, without granting Write permission to the attribute used in the ConditionExpression


I have a DynamoDB database where I'm trying to lock down access to a table (MyTable) to only allow certain updates to be performed by certain users. So the table has items with attributes such as Name, Email, ItemStatus, PrivateAttr1, PrivateAttr2 etc. UserA is allowed to update the Name, Email etc. but not ItemStatus, PrivateAttr1, PrivateAttr2 etc.

To achieve this, UserA belongs to a group to which I have applied a number of IAM policies including one which allows "UpdateItem" with the following Condition:

"Condition": { "ForAllValues:StringEqualsIfExists": { "dynamodb:Attributes": [ "Name", "Email" ] } }

This all works correctly - I'm using the C++ SDK - and allows UserA to change ONLY the Name and Email attributes but without allowing them to update ItemStatus, Attr1 and Attr2.

What I want to do now is only allow this change based on a specific value of the "ItemStatus" attribute. But this particular user is not allowed to CHANGE the ItemStatus attribute. But I want them to be able to only update other attributes if the ItemStatus attribute (as set by another user) is a certain value (say 2). So I have added a ConditionExpression "ItemStatus = :status" and added a AttributeValue of (:status = 2). But instead of getting a failure along the lines of "Conditional Request failed", I am getting a permissions failure: "User: .../UserA is not authorized to perform: dynamodb:UpdateItem on resource: ....:table/MyTable"

It appears that in order to allow the UpdateItem expression to include a ConditionExpression based on the ItemStatus, I need to include ItemStatus in the "UpdateItem" IAM Policy - surely this is not the case, as it also allows UserA to be able to edit the ItemStatus, which I DON'T want to allow.

Thanks in advance for any pointers on how to achieve this!

asked 10 months ago313 views
1 Answer

Hi, What you are trying to achieve is not currently possible in a single operation with DynamoDB, as ConditionExpression is not a read operation, its a write operation. As you have blocked this user from UpdateItem on that attribute, they will be unable to do a conditional check on it. You would need to read the item first, making your assertion on the client side before updating.

Let me know if you would like me to raise a Feature Request with the team for this functionality.

profile picture
answered 10 months ago
  • Hi Leeroy, many thanks for the quick reply. That makes sense, although I do think that Condition Expression should be treated as a "read" operation even when it's part of a "Write" operation. So yes, please do raise a feature request - and if you can, I'd be grateful if you could let me know how I could keep track of whether that functionality is going to be included! In the meantime I'll find a way around this by doing a "read" first, but ideally I'd be able to do it all as part of the same request. Thanks!

  • I can raise the FR for you, consider that done. But unfortunately there is no way to track requests. Rest assured the team implement requests based on demand and customer needs.

    You can keep up with the latest feature releases on the AWS Portal

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions