I'm trying to write python (boto3) script to set up users, permissions, and name-spaced tables (using table prefixes)
Most of this is working, but I can't get past a "Account is not authorized" error when trying to set autoscaling on the dynamodb tables.
Below I'll post one of the iterations for IAM policies I've attempted, followed by the python code that attempts to set the autoscaling.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dax:*",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:GetMetricData",
"datapipeline:ActivatePipeline",
"datapipeline:CreatePipeline",
"datapipeline:DeletePipeline",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:PutPipelineDefinition",
"datapipeline:QueryObjects",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:GetRole",
"iam:ListRoles",
"resource-groups:ListGroups",
"resource-groups:ListGroupResources",
"resource-groups:GetGroup",
"resource-groups:GetGroupQuery",
"resource-groups:DeleteGroup",
"resource-groups:CreateGroup",
"tag:GetResources",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:us-east-1:(redacted):table/devin_*",
"arn:aws:application-autoscaling:us-east-1:(redacted):scalable-target/*"
]
},
{
"Action": "cloudwatch:GetInsightRuleReport",
"Effect": "Allow",
"Resource": "arn:aws:cloudwatch:*:*:insight-rule/DynamoDBContributorInsights*"
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"application-autoscaling.amazonaws.com",
"application-autoscaling.amazonaws.com.cn",
"dax.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"replication.dynamodb.amazonaws.com",
"dax.amazonaws.com",
"dynamodb.application-autoscaling.amazonaws.com",
"contributorinsights.dynamodb.amazonaws.com",
"kinesisreplication.dynamodb.amazonaws.com"
]
}
}
}
]
}
response = client.put_scaling_policy(
PolicyName= prefix + '_' + table + "_read_scaling",
ServiceNamespace='dynamodb',
ResourceId='table/' + prefix + '_' + table,
ScalableDimension='dynamodb:table:ReadCapacityUnits',
PolicyType='StepScaling',
StepScalingPolicyConfiguration={
'AdjustmentType': 'ChangeInCapacity',
'StepAdjustments': [
{
'MetricIntervalLowerBound': 1,
'MetricIntervalUpperBound': 20,
'ScalingAdjustment': 2
},
],
'MinAdjustmentMagnitude': 2,
'Cooldown': 120,
'MetricAggregationType': 'Average'
}
)
Interesting, 3 AWS experts suggesting to use a Full Access policy. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege