I have a DynamoDB database where I'm trying to lock down access to a table (MyTable) to only allow certain updates to be performed by certain users. So the table has items with attributes such as Name, Email, ItemStatus, PrivateAttr1, PrivateAttr2 etc. UserA is allowed to update the Name, Email etc. but not ItemStatus, PrivateAttr1, PrivateAttr2 etc.
To achieve this, UserA belongs to a group to which I have applied a number of IAM policies including one which allows "UpdateItem" with the following Condition:
"Condition": {
"ForAllValues:StringEqualsIfExists": {
"dynamodb:Attributes": [
"Name",
"Email"
]
}
}
This all works correctly - I'm using the C++ SDK - and allows UserA to change ONLY the Name and Email attributes but without allowing them to update ItemStatus, Attr1 and Attr2.
What I want to do now is only allow this change based on a specific value of the "ItemStatus" attribute. But this particular user is not allowed to CHANGE the ItemStatus attribute. But I want them to be able to only update other attributes if the ItemStatus attribute (as set by another user) is a certain value (say 2).
So I have added a ConditionExpression "ItemStatus = :status" and added a AttributeValue of (:status = 2). But instead of getting a failure along the lines of "Conditional Request failed", I am getting a permissions failure: "User: .../UserA is not authorized to perform: dynamodb:UpdateItem on resource: ....:table/MyTable"
It appears that in order to allow the UpdateItem expression to include a ConditionExpression based on the ItemStatus, I need to include ItemStatus in the "UpdateItem" IAM Policy - surely this is not the case, as it also allows UserA to be able to edit the ItemStatus, which I DON'T want to allow.
Thanks in advance for any pointers on how to achieve this!
Hi Leeroy, many thanks for the quick reply. That makes sense, although I do think that Condition Expression should be treated as a "read" operation even when it's part of a "Write" operation. So yes, please do raise a feature request - and if you can, I'd be grateful if you could let me know how I could keep track of whether that functionality is going to be included! In the meantime I'll find a way around this by doing a "read" first, but ideally I'd be able to do it all as part of the same request. Thanks!
I can raise the FR for you, consider that done. But unfortunately there is no way to track requests. Rest assured the team implement requests based on demand and customer needs.
You can keep up with the latest feature releases on the AWS Portal https://aws.amazon.com/new/