amarda
Reputation: 21
Add Index arn in DynamoDB to sam yml file
I am trying access my DynamoDB via a user that has all access to the table.
However I am failing to query the LSI for the same table. It says user doesn't have permissions to query index.
I checked the documentation and it shows that index needs to be define separately like arn:aws:dynamodb:region:account-id:table/table-name/index/index-name
However I am not sure how to define this in cloudformation yml file.
BooksTable:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
TableName:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTable
BillingMode: PAY_PER_REQUEST
KeySchema:
- AttributeName: hashKey
KeyType: HASH
- AttributeName: rangeKey
KeyType: RANGE
LocalSecondaryIndexes:
- IndexName: LSI1
KeySchema:
- AttributeName: hashKey
KeyType: HASH
- AttributeName: clientToken
KeyType: RANGE
Projection:
ProjectionType: ALL
AttributeDefinitions:
- AttributeName: hashKey
AttributeType: S
- AttributeName: rangeKey
AttributeType: S
- AttributeName: clientToken
AttributeType: S
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
TimeToLiveSpecification:
AttributeName: expirationTime
Enabled: true
Outputs:
BooksTableName:
Description: books table.
Value:
!Ref BooksTable
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTableName
BooksTableArn:
Description: Arn for books DynamoDB Table
Value:
Fn::GetAtt: [ BooksTable, Arn ]
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTableArn
BooksTableStreamArn:
Description: The DDB stream for the books table.
Value:
Fn::GetAtt: [BooksTable, StreamArn]
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksStreamArn
IAM policy right now
Policies:
- PolicyDocument:
Statement:
- Action: ['dynamodb:PutItem', 'dynamodb:ConditionCheckItem', 'dynamodb:Query', 'dynamodb:GetItem', 'dynamodb:UpdateItem']
Effect: Allow
Resource:
- Fn::GetAtt: [BooksTable, Arn]
How to add LSI to the list of resources so that I can use that ARN to add permissions in the policy document.
Upvotes: 0
Views: 888
Answers (1)
Shravan Kumar L.P
Reputation: 21
Update IAM policy this should work
Policies:
- PolicyDocument:
Statement:
- Action: ['dynamodb:PutItem', 'dynamodb:ConditionCheckItem', 'dynamodb:Query', 'dynamodb:GetItem', 'dynamodb:UpdateItem']
Effect: Allow
Resource:
- Fn::GetAtt: [BooksTable, Arn]
- "arn:aws:dynamodb:{region}:{account}:table/{tableName}/index/{indexName}"
Upvotes: 1
Related Questions
- AWS SAM YAML File not able to refer to an existing bucket for S3 event
- How to use Sam with lambda and dynamo and amplify?
- Getting Errors while Creating DynamoDB table using SAM Template
- AWS SAM lambda destination
- How to access DynamoDB table from Lambda in a SAM Template?
- AWS SAM and DynamoDB table in production
- Use parameter in TableName for DynamoDB template.yaml
- yaml SAM local with dynamo db
- AWS SAM YAML - Attach same policy multiple times, or multiple tables on same DynamoDB policy
- How do I implement a DynamoDB Global Secondary Index with Infrastructure As Code in CloudFormation