New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DynamoDB Global Table's grant*() gives permission only to regional resources #7362
DynamoDB Global Table's grant*() gives permission only to regional resources #7362
Comments
This is tricky... and I'm not sure that the normal In the meantime you should be able to do something like this I think: // stack in us-west-1
// tableInUsEast1 is the table exposed in the stack in us-east-1
const table1 = dynamodb.Table.fromTableName(this, 'Table1', tableInUsEast1.tableName);
table1.grantReadData(myLambda) |
How are you doing this? Values cannot be shared across regions |
If table1 variable is public, you can read it outside stack and then push it into another stack through props. stack1 = new Stack1(...);
new Stack2(this, 'Stack2', {
...
...
table: stack1.table1
});
|
Yes, of course, but not across regions |
It works for me. In one of my apps, I have one GlobalStack with env region It works. |
How about introducing a new optional parameter for grantXxx() which can take regions array and/or |
This is only possible for concrete values, not for deploy time values (tokens, like a dynamodb table name). |
Yes, that's why, I provided |
So if you're sharing a concrete string across regions, the solution is to use |
A little besides the issue, but cross-region/account tokens are definitely possible :). Through something called physical names (set here in DynamoDB, and later used here). |
Thanks for the clarification @skinny85. You confirm that this only work for resources with concrete (well defined) names not for deploy time given names? |
Yes, I can confirm that. If a resource doesn't have a physical name defined (for DynamoDB, that's the |
There's also |
In theory, this should work. But, the imported table object doesn't seem fully equivalent of original table. When I use Yes, with imported table, I can extract arn to manually create iam policy. |
Good point. |
Add all replication regions when granting permissions. Closes aws#7362
Add all replication regions when granting permissions. Closes #7362
new Table(...).grant(grantee, ...actions)
,new Table(...).grantFullAccess(grantee)
,new Table(...).grantReadData(grantee)
andnew Table(...).grantReadWriteData(grantee)
grant access to the table and its indexes only in the region in which the table is created, even whenreplicationRegions
is notundefined
.Reproduction Steps
us-east-1
region:Share the above table to a different stack with
us-west-1
region.In the
us-west-1
stack, create a lambda function and grant it the read permission of the global table.Unfortunately, the myLambda won't be able to read from the same region (
us-west-1
) table1 replica because of wrong iam permissions. If you look at the service role for myLambda, you'll find this policy statement:After finding
replicationRegions
, CDK should either replaceus-east-1
with*
or add more regional arns toResource
.I also can't modify the table1 arn to create my own iam policy statement.
This doesn't work because
tableArn
is not a string at runtime even if I give physical name to the table.I had to manually edit policy statements in production which has created a drift in CloudFormation Stack.
Error Log
No error log. Human introspection is needed.
Environment
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: