Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to setup dynamoDb permission scope to only table with some prefix?

Let say I am using shared aws account. I want to setup my tables with prefix "x-team", for example:

  • x-team_customer_order
  • x-team_customer

Another team also has other tables with different prefix naming scheme. To limit our application scope, we want to setup different credential used by each team.

In this doc http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ddb-api-permissions-ref.html, they use wildcard *, but there is no illustration that it is possible to use wildcard for table's prefix-name scheme.

like image 739
Agung Pratama Avatar asked Apr 04 '16 03:04

Agung Pratama


1 Answers

Yes it is possible.

This policy would allow a user to create, read, update and delete tables that are named with their username and an underscore:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllAPIActionsOnUserSpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:us-west-2:494057818753:table/${aws:username}_*"
        },
        {
            "Sid": "AdditionalPrivileges",
            "Effect": "Allow",
            "Action": [
                "dynamodb:ListTables",
                "dynamodb:DescribeTable"
            ],
            "Resource": "*"
        }
    ]
}

This is very briefly mentioned at the bottom of this example in the AWS DynamoDB documentation.

Obviously if you want to use prefixes that are different than the username you can do it, you'll just have to make separate policies for every prefix you want to support.

like image 195
Ben Reser Avatar answered Nov 03 '22 23:11

Ben Reser