fix(dynamodb): grant*Data() methods are missing the dynamodb:DescribeTable permission#19129
Conversation
|
|
340a14f to
321b4de
Compare
skinny85
left a comment
There was a problem hiding this comment.
Thanks for the contribution @chris-smith-zocdoc! One small suggestion.
| 'dynamodb:GetShardIterator', | ||
| ]; | ||
|
|
||
| export const DESCRIBE_TABLE = 'dynamodb:DescribeTable'; No newline at end of file |
There was a problem hiding this comment.
What do you think of just adding 'dynamodb:DescribeTable' to the READ_STREAM_DATA_ACTIONS array? I think that's basically what we're going for here, and it would save us from doing any other edits to the production code in this PR (OK, minus the comments 😉).
There was a problem hiding this comment.
Do you mean READ_DATA_ACTIONS? READ_STREAM_DATA_ACTIONS is for the DynamoDB stream, not reading/writing to the table.
I did consider adding it to READ_DATA_ACTIONS but that had two issues
- It doesn't cover the write use case, ie
grantWriteData() - If I added it to both
READ_DATA_ACTIONSandWRITE_DATA_ACTIONSthen I'd need code to de-dup it forgrantReadWriteData
So it seemed simpler to implement it as an additional permission that is added to the necessary grant* calls
There was a problem hiding this comment.
Yep, I meant READ_DATA_ACTIONS.
OK, fair enough!
321b4de to
0b5b5bc
Compare
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
grant*Data() methods are missing the dynamodb:DescribeTable permission
grant*Data() methods are missing the dynamodb:DescribeTable permissiongrant*Data() methods are missing the dynamodb:DescribeTable permission
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Fixes #18773
This allows the high level dynamodb clients to function correctly
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license