In IAM I tried creating the following policy for a user (account id in arn obfuscated):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-west-2:999999999999:table/busUsers"
}
]
}
However, it resulted in:
This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more
Show remaining
shows:
One or more actions do not have an applicable resource.
I looked up the Learn more link and it says to replace the arn in the Resource
element with *
. I am confused now. What does *
mean? I want to grant access to a specific DynamoDB table of mine. How do I specify that?
EDIT: I removed all DyanamoDB actions and just selected one GetItem
and it's:
When I deselect GetItem
, both error messages go away.
When I select table Any, the first error message goes away.
When I select Resource Any, the second error message goes away.
Its because you are granting permissions for all dynamodb actions to a table resource, but not all of those actions are actually applicable to a table.
For example dynamodb:DescribeStream is not applicable to a table, only to a Stream, but your are granting permission to this resource anyway.
You can safely ignore this warning.
EDIT: You may not have realised you can just click Save Policy and it will work fine.
EDIT: Thanks for posting your screenshot. There are no errors here, just warnings, which might be better called tips in this case.
When you enter the ARN of a resource manually, AWS does not appear to recognise what type of resource it is (i.e. a table). If you add the resource through the table ARN generator, you wont any warnings. In either case you end up with the same policy.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With