Skip to content

aws_dynamodb: Unable to create table with resource policy with certain dynamodb actions #32230

New issue
New issue
Closed
#36228
Closed
aws_dynamodb: Unable to create table with resource policy with certain dynamodb actions#32230
#36228
Assignees
Abogical
Labels
@aws-cdk/aws-dynamodbRelated to Amazon DynamoDBbugThis issue is a bug.p0
@frankpengau

Description

@frankpengau
frankpengau
opened on Nov 21, 2024

Describe the bug

Unable to create dynamodb table v2 with a resource policy that contains certain dynamodb actions relating to streams.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DynamoDBIndexAndStreamAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetShardIterator",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:ListStreams"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/test-ddb-role-1",
                    "arn:aws:iam::123456789012:role/test-ddb-role-2",
                    "arn:aws:iam::123456789012:role/test-ddb-role-3"
                ]
            },
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test/index/*",
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test/stream/*"
            ]
        },
        {
            "Sid": "DynamoDBTableAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:ConditionCheckItem",
                "dynamodb:PutItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:UpdateItem"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/test-ddb-role-1",
                    "arn:aws:iam::123456789012:role/test-ddb-role-2",
                    "arn:aws:iam::123456789012:role/test-ddb-role-3"
                ]
            },
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test"
            ]
        }
    ]
}

Following example from: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/iam-policy-example-data-crud.html

Resource handler returned message: "One or more parameter values were invalid: Invalid policy document: The following action names are invalid: "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:ListStreams" (Service: DynamoDb, Status Code: 400, ... HandlerErrorCode: InvalidRequest)

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

DynamoDB Table V2 should be created with expected resource policy given.

Current Behavior

Failure to create DynamoDB Table V2

Reproduction Steps

Repo: https://github.com/frankpengau/aws-cdk-ddbv2-resource-policy-issue

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.169.0

Framework Version

No response

Node.js Version

22.11.0

OS

macOS Sonoma 14.7.1 (Darwin 23.6.0)

Language

TypeScript

Language Version

Typescript (5.6.3)

Other information

No response

Metadata

Metadata

Assignees

Labels

@aws-cdk/aws-dynamodbRelated to Amazon DynamoDBbugThis issue is a bug.p0

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions