Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_dynamodb: Unable to create table with resource policy with certain dynamodb actions #32230

Open
1 task
frankpengau opened this issue Nov 21, 2024 · 0 comments
Open
1 task

aws_dynamodb: Unable to create table with resource policy with certain dynamodb actions #32230

frankpengau opened this issue Nov 21, 2024 · 0 comments
Assignees
@khushail
Labels
@aws-cdk/aws-dynamodb Related to Amazon DynamoDB bug This issue is a bug. needs-reproduction This issue needs reproduction. p2

Comments

@frankpengau
Copy link
Contributor

Describe the bug

Unable to create dynamodb table v2 with a resource policy that contains certain dynamodb actions relating to streams.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DynamoDBIndexAndStreamAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetShardIterator",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:ListStreams"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/test-ddb-role-1",
                    "arn:aws:iam::123456789012:role/test-ddb-role-2",
                    "arn:aws:iam::123456789012:role/test-ddb-role-3"
                ]
            },
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test/index/*",
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test/stream/*"
            ]
        },
        {
            "Sid": "DynamoDBTableAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:ConditionCheckItem",
                "dynamodb:PutItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:UpdateItem"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/test-ddb-role-1",
                    "arn:aws:iam::123456789012:role/test-ddb-role-2",
                    "arn:aws:iam::123456789012:role/test-ddb-role-3"
                ]
            },
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test"
            ]
        }
    ]
}

Following example from: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/iam-policy-example-data-crud.html

Resource handler returned message: "One or more parameter values were invalid: Invalid policy document: The following action names are invalid: "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:ListStreams" (Service: DynamoDb, Status Code: 400, ... HandlerErrorCode: InvalidRequest)

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

DynamoDB Table V2 should be created with expected resource policy given.

Current Behavior

Failure to create DynamoDB Table V2

Reproduction Steps

Repo: https://github.com/frankpengau/aws-cdk-ddbv2-resource-policy-issue

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.169.0

Framework Version

No response

Node.js Version

22.11.0

OS

macOS Sonoma 14.7.1 (Darwin 23.6.0)

Language

TypeScript

Language Version

Typescript (5.6.3)

Other information

No response
@frankpengau frankpengau added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 21, 2024
@github-actions github-actions bot added the @aws-cdk/aws-dynamodb Related to Amazon DynamoDB label Nov 21, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 21, 2024
@khushail khushail self-assigned this Nov 21, 2024
@khushail khushail added the p2 label Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@khushail khushail

Labels
@aws-cdk/aws-dynamodb Related to Amazon DynamoDB bug This issue is a bug. needs-reproduction This issue needs reproduction. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frankpengau @khushail