Menu
I have a Amazon dynamodb table with partition key composed of the user's id (from facebook or google) and other characters. I know wildcard can be used to specify the properties of a fine-grained access policy, but I couldn't get the wildcard in the dynamodb:LeadingKeys working.
Here is the working policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"g_${accounts.google.com:sub}"
]
}
}
}
]
}
However, this doesn't work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"*_${accounts.google.com:sub}"
]
}
}
}
]
}
762
Fine-Grained Access Control for DynamoDBA mobile app that displays information for nearby airports, based on the user's location. The app can access and display attributes such airline names, arrival times, and flight numbers.
In the Select Role Type pane, choose Role for Web Identity Provider Access and click Select. Enter your Identity Provider and Application ID, and click Continue. Verify that the trust policy document is correct, and click Continue. In the Set Permissions pane, choose Custom Policy and click Select.
Use the DynamoDB Encryption Client for client-side encryption, in which you encrypt your table data before you send it to DynamoDB. You may choose to do this based on your data's sensitivity and your application's security requirements. For more information, see Client-Side and Server-Side Encryption.
For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). DynamoDB doesn't support resource-based policies.
I found the solution to this. So instead of using ForAllValues:StringEquals, use ForAllValues:StringLike.
The working policy is such:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"*_${accounts.google.com:sub}"
]
}
}
}
]
}
Took me a while to find this reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolicyLanguage_ConditionType
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With