How to set IAM to allow autoscaling specific dynamodb tables

Question

I'm trying to write python (boto3) script to set up users, permissions, and name-spaced tables (using table prefixes)

Most of this is working, but I can't get past a "Account is not authorized" error when trying to set autoscaling on the dynamodb tables.

Below I'll post one of the iterations for IAM policies I've attempted, followed by the python code that attempts to set the autoscaling.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dax:*",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget",
                "cloudwatch:DeleteAlarms",
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:GetMetricData",
                "datapipeline:ActivatePipeline",
                "datapipeline:CreatePipeline",
                "datapipeline:DeletePipeline",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "datapipeline:PutPipelineDefinition",
                "datapipeline:QueryObjects",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "iam:GetRole",
                "iam:ListRoles",
                "resource-groups:ListGroups",
                "resource-groups:ListGroupResources",
                "resource-groups:GetGroup",
                "resource-groups:GetGroupQuery",
                "resource-groups:DeleteGroup",
                "resource-groups:CreateGroup",
                "tag:GetResources",
                "kinesis:ListStreams",
                "kinesis:DescribeStream",
                "kinesis:DescribeStreamSummary"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:us-east-1:(redacted):table/devin_*",
                "arn:aws:application-autoscaling:us-east-1:(redacted):scalable-target/*"
            ]
        },
        {
            "Action": "cloudwatch:GetInsightRuleReport",
            "Effect": "Allow",
            "Resource": "arn:aws:cloudwatch:*:*:insight-rule/DynamoDBContributorInsights*"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "application-autoscaling.amazonaws.com",
                        "application-autoscaling.amazonaws.com.cn",
                        "dax.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "replication.dynamodb.amazonaws.com",
                        "dax.amazonaws.com",
                        "dynamodb.application-autoscaling.amazonaws.com",
                        "contributorinsights.dynamodb.amazonaws.com",
                        "kinesisreplication.dynamodb.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
```

```
  response = client.put_scaling_policy(
      PolicyName= prefix + '_' + table + "_read_scaling",
      ServiceNamespace='dynamodb',
      ResourceId='table/' + prefix + '_' + table,
      ScalableDimension='dynamodb:table:ReadCapacityUnits',
      PolicyType='StepScaling',
      StepScalingPolicyConfiguration={
          'AdjustmentType': 'ChangeInCapacity',
          'StepAdjustments': [
              {
                  'MetricIntervalLowerBound': 1,
                  'MetricIntervalUpperBound': 20,
                  'ScalingAdjustment': 2
              },
          ],
          'MinAdjustmentMagnitude': 2,
          'Cooldown': 120,
          'MetricAggregationType': 'Average'
      }
  )

```

Answer

Hi, see https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.Console.html#AutoScaling.Permissions

```
Granting user permissions for DynamoDB auto scaling
In AWS Identity and Access Management (IAM), the AWS managed policy DynamoDBFullAccess 
provides the required permissions for using the DynamoDB console. However, for DynamoDB 
auto scaling, users require additional permissions.

Important
To delete an auto scaling-enabled table, application-autoscaling:* permissions are required 
The AWS managed policy DynamoDBFullAccess includes such permissions.

To set up a user for DynamoDB console access and DynamoDB auto scaling, create a role 
and add the AmazonDynamoDBFullAccess policy to that role. Then assign the role to a user.
```

So, you have to check the content of DynamoDBFullAccess managed policy and replicate its allow permission into your own policy. Also, you may want to replace your granular allows on application-autoscaling by application-autoscaling:* as suggested.

Best,
Didier

How to set IAM to allow autoscaling specific dynamodb tables

Relevant content