ListTables permission required #57

Closed
yegor256 opened this Issue Aug 25, 2013 · 12 comments

Projects

None yet

3 participants

@yegor256

All of a sudden, this message started to appear (after upgrade to 1.5.1):

Dynamic DynamoDB version: 1.5.1
:  Traceback (most recent call last):
:    File "/usr/local/bin/dynamic-dynamodb", line 26, in <module>
:      dynamic_dynamodb.main()
:    File "/usr/local/lib/python2.7/dist-packages/dynamic_dynamodb/__init__.py", line 75, in main
:      all_table = dynamodb.list_table()
:    File "/usr/local/lib/python2.7/dist-packages/dynamic_dynamodb/core/dynamodb.py", line 75, in list_table
:      list_table = DYNAMODB_CONNECTION.list_tables()
:    File "/usr/local/lib/python2.7/dist-packages/boto/dynamodb/layer2.py", line 306, in list_tables
:      result = self.layer1.list_tables(limit=this_round_limit, start_table=start_table)
:    File "/usr/local/lib/python2.7/dist-packages/boto/dynamodb/layer1.py", line 204, in list_tables
:      return self.make_request('ListTables', json_input)
:    File "/usr/local/lib/python2.7/dist-packages/boto/dynamodb/layer1.py", line 118, in make_request
:      retry_handler=self._retry_handler)
:    File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 873, in _mexe
:      status = retry_handler(response, i, next_sleep)
:    File "/usr/local/lib/python2.7/dist-packages/boto/dynamodb/layer1.py", line 158, in _retry_handler
:      data)
:  boto.exception.DynamoDBResponseError: DynamoDBResponseError: 400 Bad Request
:  {u'Message': u'User: arn:aws:sts::xxxxx:assumed-role/xxx/i-55555555 is not authorized to perform: dynamodb:ListTables on resource: *', u'__type': u'com.amazon.coral.service#AccessDeniedException'}

Why ListTables is performed? I'm calling it like this:

dynamic-dynamodb --log-level WARNING --table-name "abc" 
@pragnesh
Contributor

ListTables call is added to control multiple table with single configuration section using regex, which is added in 1.5.0 release

I

@pragnesh
Contributor

looks like, aws credential you are using doesn't have ListTables permission

@sebdah
Owner
sebdah commented Aug 26, 2013

Yeah, it's just a lack of permissions. However I think that we should handle exceptions like this prettier. Will add this as an enhancement in the 1.5.x series.

@yegor256

But why do we need to list all my tables if I explicitly provided the name of the table to work with? I don't want to grant access to ALL tables, it looks like a violation of "least privilege" principle to me.

@sebdah
Owner
sebdah commented Aug 26, 2013

Good point, will see if it's easy to differentiate between the two alternatives in the code.

@sebdah sebdah was assigned Aug 26, 2013
@sebdah
Owner
sebdah commented Aug 26, 2013

I have now addressed those issues in a series of commits. I would be really happy if either of you could help out testing this before I release it.

The changes currently reside in the feature/issue-57 branch.

@pragnesh
Contributor

looks good to me.

@sebdah
Owner
sebdah commented Aug 27, 2013

Thanks for looking at it @pragnesh. Will include this fix in a patch release

@sebdah
Owner
sebdah commented Aug 27, 2013

This is now released in Dynamic DynamoDB 1.5.2!

@sebdah sebdah closed this Aug 27, 2013
@pragnesh pragnesh added a commit to pragnesh/dynamic-dynamodb that referenced this issue Aug 27, 2013
@pragnesh pragnesh added missing sleep statement fixes #57 c32e7c7
@pragnesh
Contributor

i have added sleep statement removed, which creating problem in daemon mode

@yegor256

Now it gives me this warning:

WARNING - Your AWS API keys lack access to listing tables. That is an issue if you are trying to use regular expressions in your table configuration.

But works. Thanks for the fix!

@sebdah
Owner
sebdah commented Aug 27, 2013

Perfect, @pragnesh fix is out now. Thanks both of you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment