New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ListTables permission required #57

Closed
yegor256 opened this Issue Aug 25, 2013 · 12 comments

Comments

Projects
None yet
3 participants
@yegor256

yegor256 commented Aug 25, 2013

All of a sudden, this message started to appear (after upgrade to 1.5.1):

Dynamic DynamoDB version: 1.5.1
:  Traceback (most recent call last):
:    File "/usr/local/bin/dynamic-dynamodb", line 26, in <module>
:      dynamic_dynamodb.main()
:    File "/usr/local/lib/python2.7/dist-packages/dynamic_dynamodb/__init__.py", line 75, in main
:      all_table = dynamodb.list_table()
:    File "/usr/local/lib/python2.7/dist-packages/dynamic_dynamodb/core/dynamodb.py", line 75, in list_table
:      list_table = DYNAMODB_CONNECTION.list_tables()
:    File "/usr/local/lib/python2.7/dist-packages/boto/dynamodb/layer2.py", line 306, in list_tables
:      result = self.layer1.list_tables(limit=this_round_limit, start_table=start_table)
:    File "/usr/local/lib/python2.7/dist-packages/boto/dynamodb/layer1.py", line 204, in list_tables
:      return self.make_request('ListTables', json_input)
:    File "/usr/local/lib/python2.7/dist-packages/boto/dynamodb/layer1.py", line 118, in make_request
:      retry_handler=self._retry_handler)
:    File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 873, in _mexe
:      status = retry_handler(response, i, next_sleep)
:    File "/usr/local/lib/python2.7/dist-packages/boto/dynamodb/layer1.py", line 158, in _retry_handler
:      data)
:  boto.exception.DynamoDBResponseError: DynamoDBResponseError: 400 Bad Request
:  {u'Message': u'User: arn:aws:sts::xxxxx:assumed-role/xxx/i-55555555 is not authorized to perform: dynamodb:ListTables on resource: *', u'__type': u'com.amazon.coral.service#AccessDeniedException'}

Why ListTables is performed? I'm calling it like this:

dynamic-dynamodb --log-level WARNING --table-name "abc" 
@pragnesh

This comment has been minimized.

Contributor

pragnesh commented Aug 26, 2013

ListTables call is added to control multiple table with single configuration section using regex, which is added in 1.5.0 release

I

@pragnesh

This comment has been minimized.

Contributor

pragnesh commented Aug 26, 2013

looks like, aws credential you are using doesn't have ListTables permission

@sebdah

This comment has been minimized.

Owner

sebdah commented Aug 26, 2013

Yeah, it's just a lack of permissions. However I think that we should handle exceptions like this prettier. Will add this as an enhancement in the 1.5.x series.

@yegor256

This comment has been minimized.

yegor256 commented Aug 26, 2013

But why do we need to list all my tables if I explicitly provided the name of the table to work with? I don't want to grant access to ALL tables, it looks like a violation of "least privilege" principle to me.

@sebdah

This comment has been minimized.

Owner

sebdah commented Aug 26, 2013

Good point, will see if it's easy to differentiate between the two alternatives in the code.

@ghost ghost assigned sebdah Aug 26, 2013

sebdah added a commit that referenced this issue Aug 26, 2013

@sebdah

This comment has been minimized.

Owner

sebdah commented Aug 26, 2013

I have now addressed those issues in a series of commits. I would be really happy if either of you could help out testing this before I release it.

The changes currently reside in the feature/issue-57 branch.

@pragnesh

This comment has been minimized.

Contributor

pragnesh commented Aug 26, 2013

looks good to me.

@sebdah

This comment has been minimized.

Owner

sebdah commented Aug 27, 2013

Thanks for looking at it @pragnesh. Will include this fix in a patch release

@sebdah

This comment has been minimized.

Owner

sebdah commented Aug 27, 2013

This is now released in Dynamic DynamoDB 1.5.2!

@sebdah sebdah closed this Aug 27, 2013

pragnesh added a commit to pragnesh/dynamic-dynamodb that referenced this issue Aug 27, 2013

@pragnesh

This comment has been minimized.

Contributor

pragnesh commented Aug 27, 2013

i have added sleep statement removed, which creating problem in daemon mode

@yegor256

This comment has been minimized.

yegor256 commented Aug 27, 2013

Now it gives me this warning:

WARNING - Your AWS API keys lack access to listing tables. That is an issue if you are trying to use regular expressions in your table configuration.

But works. Thanks for the fix!

@sebdah

This comment has been minimized.

Owner

sebdah commented Aug 27, 2013

Perfect, @pragnesh fix is out now. Thanks both of you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment