Python CDK DynamoDB Table.grant_read_write doesn't include PartiQL permissions.

Question

I am using the python CDK to grant a lambda function permissions to a DynamoDB table.

if I use:  my_table.grant_read_write(my_lambda) the lambda fails with error "no identity-based policy allows the dynamodb:PartiQLUpdate action'"

however, if I use:  my_table.grant_full_access(my_lambda) the lambda succeeds and I can confirm the updates were made.

I don't want to grant full access. I can add a inline policy to the lambda, but I am trying to understand why the builtin method doesn't work.

Why doesn't the read/write permissions cover the partiQL statements?

Answer

That is the current [expected behavior](https://github.com/aws/aws-cdk/blob/1fd548588274a83810a55090dcc3a3a152c5116d/packages/aws-cdk-lib/aws-dynamodb/lib/shared.ts#L350):

- BatchGetItem
- GetRecords
- GetShardIterator
- Query
- GetItem
- Scan

- BatchWriteItem
- PutItem
- UpdateItem
- DeleteItem

Whereas grantFullAccess simply allows all: `Permits all DynamoDB operations ("dynamodb:*") to an IAM principal.`

In order to allow PartiQL operations you can do the following:

`table.grant(my_lambda, 'dynamodb:PartiQLSelect');`

Moreover, you can contribute to CDK to make amends as it is open source, or simply create a feature request on the GitHub: https://github.com/aws/aws-cdk

Python CDK DynamoDB Table.grant_read_write doesn't include PartiQL permissions.

相關內容