Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_dynamodb: Unable to create table with resource policy with certain dynamodb actions #32230

Closed
1 task
frankpengau opened this issue Nov 21, 2024 · 3 comments
Closed
1 task
Assignees
Labels
@aws-cdk/aws-dynamodb Related to Amazon DynamoDB bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@frankpengau
Copy link
Contributor

Describe the bug

Unable to create dynamodb table v2 with a resource policy that contains certain dynamodb actions relating to streams.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DynamoDBIndexAndStreamAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetShardIterator",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:ListStreams"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/test-ddb-role-1",
                    "arn:aws:iam::123456789012:role/test-ddb-role-2",
                    "arn:aws:iam::123456789012:role/test-ddb-role-3"
                ]
            },
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test/index/*",
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test/stream/*"
            ]
        },
        {
            "Sid": "DynamoDBTableAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:ConditionCheckItem",
                "dynamodb:PutItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:UpdateItem"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/test-ddb-role-1",
                    "arn:aws:iam::123456789012:role/test-ddb-role-2",
                    "arn:aws:iam::123456789012:role/test-ddb-role-3"
                ]
            },
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test"
            ]
        }
    ]
}

Following example from: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/iam-policy-example-data-crud.html

Resource handler returned message: "One or more parameter values were invalid: Invalid policy document: The following action names are invalid: "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:ListStreams" (Service: DynamoDb, Status Code: 400, ... HandlerErrorCode: InvalidRequest)

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

DynamoDB Table V2 should be created with expected resource policy given.

Current Behavior

Failure to create DynamoDB Table V2

Reproduction Steps

Repo: https://github.com/frankpengau/aws-cdk-ddbv2-resource-policy-issue

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.169.0

Framework Version

No response

Node.js Version

22.11.0

OS

macOS Sonoma 14.7.1 (Darwin 23.6.0)

Language

TypeScript

Language Version

Typescript (5.6.3)

Other information

No response

@frankpengau frankpengau added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 21, 2024
@github-actions github-actions bot added the @aws-cdk/aws-dynamodb Related to Amazon DynamoDB label Nov 21, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 21, 2024
@khushail khushail self-assigned this Nov 21, 2024
@khushail khushail added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-reproduction This issue needs reproduction. labels Nov 21, 2024
@khushail
Copy link
Contributor

Hi @frankpengau , thanks for reaching out.

All the errors are related to the policies related to steam and the reason as mentioned in AWS documentation is -

Screenshot 2024-11-26 at 4 22 11 PM

so in order to work, you might want to create a table with stream first, get the stream id and then grant the required access. (Ref. article for example)

Hope that helps!

Let me know if this does not work for you.

Thanks.

@khushail khushail added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Nov 27, 2024
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Nov 29, 2024
@github-actions github-actions bot added closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Dec 4, 2024
@github-actions github-actions bot closed this as completed Dec 4, 2024
@toha-nordic
Copy link

@khushail Im getting same kind of error with CDK 2.163.1 and 2.172.0 when using table v1 construct. My table and streams already exists, just trying to add a resource policy for setting up cross-account access to the stream.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<test acct1>:role/test-role",
          "arn:aws:iam::<test acct2>:user/toha"
        ]
      },
      "Action": [
        "dynamodb:DescribeStream",
        "dynamodb:GetRecords",
        "dynamodb:GetShardIterator",
        "dynamodb:ListStreams",
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:<test acct3>:table/table1/stream/2024-12-09T15:10:20.402"
    }
  ]
}

Similar error appears: 1 validation error detected: Value 'software.amazon.awssdk.services.dynamodb.model.DynamoDbException: One or more parameter values were invalid: Invalid policy document: The following action names are invalid: "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:ListStreams" (Service: DynamoDb, Status Code: 400.

Any workarounds for this would be much appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-dynamodb Related to Amazon DynamoDB bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Development

No branches or pull requests

3 participants