Chalice: Add support for resource types in policy generation

Created on 12 Sep 2016  路  4Comments  路  Source: aws/chalice

This code snippet is a simplified version of the examples in the Boto3 docs

import boto3

db = boto3.resource("dynamodb")
tbl = db.Table('mytable')
r = tbl.get_item(Key={'mykey': myval})

The policy generator misses that this will need to add a dynamodb:GetItem.

In contrast, the policy generator does notice it when using this (more low-level) snippet:

dbc = boto3.client("dynamodb")
r = dbc.get_item(TableName="mytable", Key={"mykey": {"S": myval }})
feature-request
Source
picture stannie
👍8

Most helpful comment

If you REALLY want to use boto3.resource(...) but don't want to manually generate IAM, I've found a dirty little work around:

ddb = boto3.client("dynamodb")
try:
    ddb.get_item(TableName="helloworld")
    ddb.put_item(TableName="helloworld")
except:
    print("move along")

tbl = boto3.resource('dynamodb').Table('helloworld')
tbl.put_item(Item={ 'keyname': key, 'body': request.raw_body } )

The first ddb load with the get/put in the try/except will trigger Chalice into generating the proper IAM. Those calls will, of course, fail (as expected). You could also probably put them into a function that is never called. Then you can use the boto3.resource(...) as normal (so long as you have a "fake" call for each real call).

picture ShakataGaNai on 2 May 2017
👍3

All 4 comments

Related: added the following two lines to my config, as described on the Quick start page: 

"manage_iam_role":false
"iam_role_arn":"arn:aws:iam::<account-id>:role/<role-name>"

and then deployed again. Seems that the role for the Chalice lambda function is not updated to this role though, had to do that manually.

stannie picture stannie on 13 Sep 2016

Also requested here: https://github.com/awslabs/chalice/issues/132

The issue is that the policy generator doesn't understand resource types (anything with boto3.resource(...). This is something I'd like to add.

Marking as a feature request.

jamesls picture jamesls on 13 Oct 2016

If you REALLY want to use boto3.resource(...) but don't want to manually generate IAM, I've found a dirty little work around:

ddb = boto3.client("dynamodb")
try:
    ddb.get_item(TableName="helloworld")
    ddb.put_item(TableName="helloworld")
except:
    print("move along")

tbl = boto3.resource('dynamodb').Table('helloworld')
tbl.put_item(Item={ 'keyname': key, 'body': request.raw_body } )

The first ddb load with the get/put in the try/except will trigger Chalice into generating the proper IAM. Those calls will, of course, fail (as expected). You could also probably put them into a function that is never called. Then you can use the boto3.resource(...) as normal (so long as you have a "fake" call for each real call).

ShakataGaNai picture ShakataGaNai on 2 May 2017
👍3

A good enough workaround is suggested here: https://github.com/aws/chalice/issues/692#issuecomment-426738566

and-semakin picture and-semakin on 25 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

michaeldimchuk picture michaeldimchuk  路  3Comments
davidolmo picture davidolmo  路  3Comments
GDavisSS picture GDavisSS  路  3Comments
laolsson picture laolsson  路  4Comments
Miserlou picture Miserlou  路  4Comments