Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using a ConditionExpression in UpdateItem, without granting Write permission to the attribute used in the ConditionExpression

1

I have a DynamoDB database where I'm trying to lock down access to a table (MyTable) to only allow certain updates to be performed by certain users. So the table has items with attributes such as Name, Email, ItemStatus, PrivateAttr1, PrivateAttr2 etc. UserA is allowed to update the Name, Email etc. but not ItemStatus, PrivateAttr1, PrivateAttr2 etc.

To achieve this, UserA belongs to a group to which I have applied a number of IAM policies including one which allows "UpdateItem" with the following Condition:

"Condition": { "ForAllValues:StringEqualsIfExists": { "dynamodb:Attributes": [ "Name", "Email" ] } }

This all works correctly - I'm using the C++ SDK - and allows UserA to change ONLY the Name and Email attributes but without allowing them to update ItemStatus, Attr1 and Attr2.

What I want to do now is only allow this change based on a specific value of the "ItemStatus" attribute. But this particular user is not allowed to CHANGE the ItemStatus attribute. But I want them to be able to only update other attributes if the ItemStatus attribute (as set by another user) is a certain value (say 2). So I have added a ConditionExpression "ItemStatus = :status" and added a AttributeValue of (:status = 2). But instead of getting a failure along the lines of "Conditional Request failed", I am getting a permissions failure: "User: .../UserA is not authorized to perform: dynamodb:UpdateItem on resource: ....:table/MyTable"

It appears that in order to allow the UpdateItem expression to include a ConditionExpression based on the ItemStatus, I need to include ItemStatus in the "UpdateItem" IAM Policy - surely this is not the case, as it also allows UserA to be able to edit the ItemStatus, which I DON'T want to allow.

Thanks in advance for any pointers on how to achieve this!

  • ReiGun
    a year ago

    hi there. I can't get my UpdateItem to work on a single attribute like you. Can you show me your policy please? here's mine:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUpdateTechnicianIDsOnly", "Effect": "Allow", "Action": "dynamodb:UpdateItem", "Resource": "arn:aws:dynamodb:::table/[table-name]", "Condition": { "ForAllValues:StringEqualsIfExists": { "dynamodb:Attributes": [ "technician_ids" ] } } } ] }

    this gets rejected when I try to just set the attribute/column I'm allowing

Topics
Database
Tags
Amazon DynamoDB
Language
English
asked 4 years ago1.6K views
1 Answer
1
Accepted Answer

Hi, What you are trying to achieve is not currently possible in a single operation with DynamoDB, as ConditionExpression is not a read operation, its a write operation. As you have blocked this user from UpdateItem on that attribute, they will be unable to do a conditional check on it. You would need to read the item first, making your assertion on the client side before updating.

Let me know if you would like me to raise a Feature Request with the team for this functionality.

AWS
EXPERT
answered 4 years ago
EXPERT
reviewed 2 years ago
  • Liam
    4 years ago

    Hi Leeroy, many thanks for the quick reply. That makes sense, although I do think that Condition Expression should be treated as a "read" operation even when it's part of a "Write" operation. So yes, please do raise a feature request - and if you can, I'd be grateful if you could let me know how I could keep track of whether that functionality is going to be included! In the meantime I'll find a way around this by doing a "read" first, but ideally I'd be able to do it all as part of the same request. Thanks!

  • Leeroy Hannigan EXPERT
    4 years ago

    I can raise the FR for you, consider that done. But unfortunately there is no way to track requests. Rest assured the team implement requests based on demand and customer needs.

    You can keep up with the latest feature releases on the AWS Portal https://aws.amazon.com/new/

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content