Aws-cdk: Row-Level Access to DynamoDB Based on an Amazon Cognito ID in a PolicyStatement
:question: General Issue
The Question
Cannot seem to set a condition like so for "addToRolePolicy" for a lambda;
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]
}
}
Digging into the interface for PolicyStatementProps, the conditions property just expects a key value. I'm not sure how I can interpret above into a policy.
Any ideas? Is this something that needs to be implemented? if so what is the work around? If not whats the correct way?
Environment
- CDK CLI Version: 1.35.0
- Module Version: @aws-cdk/aws-lambda
- OS: all
- Language: TypeScript
Other information
needs-triage
owenashurst
All 2 comments
Never mind, this can be closed. I completely misread that the value is of type "any" which means you can create an object for "ForAllValues:StringEquals" and therefore create a key for "dynamodb:LeadingKeys" that's holds an array ['${cognito-identity.amazonaws.com:sub}'].
Full example
updateUserSettingsLambda.addToRolePolicy(new iam.PolicyStatement({
resources: [
userSettingsDynamoDb.tableArn
],
actions: [
'dynamodb:DeleteItem',
'dynamodb:GetItem',
'dynamodb:PutItem',
'dynamodb:Query',
'dynamodb:UpdateItem'
],
conditions: {
'ForAllValues:StringEquals': {
'dynamodb:LeadingKeys': ['${cognito-identity.amazonaws.com:sub}']
}
}
}));
👍2
Thanks @owenashurst literally writing the same kind of policy today.
jmagnuss
on 17 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
slipdexic
路
3Comments
nzspambot
路
3Comments
schof
路
3Comments
Kent1
路
3Comments
eladb
路
3Comments
Most helpful comment
Never mind, this can be closed. I completely misread that the value is of type "any" which means you can create an object for "ForAllValues:StringEquals" and therefore create a key for "dynamodb:LeadingKeys" that's holds an array ['${cognito-identity.amazonaws.com:sub}'].
Full example