amazon-web-services - 将 DynamoDB 中的索引 arn 添加到 sam yml 文件
问题描述
我正在尝试通过对表具有所有访问权限的用户访问我的 DynamoDB。
但是,我无法在 LSI 中查询同一张表。它说用户没有查询索引的权限。
我检查了文档,它显示索引需要像 arn:aws:dynamodb:region:account-id:table/table-name/index/index-name 一样单独定义
但是我不确定如何在 cloudformation yml 文件中定义它。
BooksTable:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
TableName:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTable
BillingMode: PAY_PER_REQUEST
KeySchema:
- AttributeName: hashKey
KeyType: HASH
- AttributeName: rangeKey
KeyType: RANGE
LocalSecondaryIndexes:
- IndexName: LSI1
KeySchema:
- AttributeName: hashKey
KeyType: HASH
- AttributeName: clientToken
KeyType: RANGE
Projection:
ProjectionType: ALL
AttributeDefinitions:
- AttributeName: hashKey
AttributeType: S
- AttributeName: rangeKey
AttributeType: S
- AttributeName: clientToken
AttributeType: S
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
TimeToLiveSpecification:
AttributeName: expirationTime
Enabled: true
Outputs:
BooksTableName:
Description: books table.
Value:
!Ref BooksTable
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTableName
BooksTableArn:
Description: Arn for books DynamoDB Table
Value:
Fn::GetAtt: [ BooksTable, Arn ]
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTableArn
BooksTableStreamArn:
Description: The DDB stream for the books table.
Value:
Fn::GetAtt: [BooksTable, StreamArn]
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksStreamArn
现在的 IAM 政策
Policies:
- PolicyDocument:
Statement:
- Action: ['dynamodb:PutItem', 'dynamodb:ConditionCheckItem', 'dynamodb:Query', 'dynamodb:GetItem', 'dynamodb:UpdateItem']
Effect: Allow
Resource:
- Fn::GetAtt: [BooksTable, Arn]
如何将 LSI 添加到资源列表中,以便我可以使用该 ARN 在策略文档中添加权限。
解决方案
更新 IAM 政策,这应该有效
Policies:
- PolicyDocument:
Statement:
- Action: ['dynamodb:PutItem', 'dynamodb:ConditionCheckItem', 'dynamodb:Query', 'dynamodb:GetItem', 'dynamodb:UpdateItem']
Effect: Allow
Resource:
- Fn::GetAtt: [BooksTable, Arn]
- "arn:aws:dynamodb:{region}:{account}:table/{tableName}/index/{indexName}"
推荐阅读
- woocommerce - Woocommerce:如何自定义产品类别小部件以显示所选类别?
- python - Why is datetime.now() set to a fixed moment in my module?
- elasticsearch - 安装 Elasticsearch 7 时出错 - 依赖项失败
- python - 如何创建这两个单独的极坐标图?
- css - .green .progress .inner .water { top: 25%; } meaning?
- c# - ASP.NET MVC 站点允许匿名用户但在登录时以登录用户的 AD 身份运行?
- android - OpenCV-Android:单击时使用 JavaCameraView 存储图像会导致图像质量非常低和方向错误
- python - Microsoft 在异常检测 API 中提供哪些异常检测算法
- git - GIT:从两台台式机和笔记本电脑以及一个中央存储库(服务器共享文件夹)同步工作的工作流程
- google-data-studio - How to search a table in Data Google Studio