How can I use two different credentials with dynamodb to have a readonly user and an all access user?

Question

I am building out a product that will use the serverless architecture on Amazon (using this example project).

Right now the product is usable by anyone. However, I don't want just anyone to be able to add/update/delete from the database. I do want anyone to be able to read from it though. So, I'd like to use two different sets of credentials. The first would be distributed with the application and would allow read only access. The second set remains internal and would be embedded in OS variables that the application would utilize.

It looks like these permissions are set up in the serverless.yml file, but this is only for one set of credentials.

  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
Resource: "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE}"

How I can set up two different roles?

Answer 1

IAM offers a number of pre-defined, managed IAM policies for DynamoDB, including:

• AmazonDynamoDBReadOnlyAccess
• AmazonDynamoDBFullAccess

Create two IAM roles with these managed policies: one for your read-only application and the other for your internal system. If either/both are running on EC2 then, rather than rely on credentials in environment variables, you can launch these EC2 instances with the relevant IAM role.