英文:
Amazon DynamoDB & IAM - Allow update-item to change a single attribute
问题
描述:
我有一个包含50个项目的表格,每个项目至少有三个属性Name
、Age
和E-mail
。
用户应该能够:
-
对特定项目的
Name
执行update
。 -
对所有项目的属性执行以下操作:
- BatchGetItem
- ConditionCheckItem
- DescribeTable
- GetItem
- Scan
- ListTagsOfResource
- Query
我尝试过的:
我在IAM中使用了这个策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UserNameUpdate",
"Effect": "Allow",
"Action": "dynamodb:UpdateItem",
"Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>",
"Condition": {
"StringEquals": {
"dynamodb:ReturnValues": [
"NONE",
"UPDATED_OLD",
"UPDATED_NEW"
]
},
"ForAllValues:StringLike": {
"dynamodb:Attributes": "Name"
}
}
},
{
"Sid": "GetAll",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ListTagsOfResource",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>"
}
]
}
结果:
- 尝试更新项目时,我收到了
AccessDeniedException
。 - 尝试其他操作时,它们正常工作。
我对IAM规则不是很了解,尤其是Condition
部分 😓。任何帮助都将不胜感激。
英文:
Description:
I have a table with 50 items, each item has at least three attributes Name
, Age
and E-mail
.
The user should be able to:
-
Perform
update
on a specific item'sName
. -
Perform these operations on all items' attributes:
- BatchGetItem
- ConditionCheckItem
- DescribeTable
- GetItem
- Scan
- ListTagsOfResource
- Query
What I've Tried:
I used this policy in IAM:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UserNameUpdate",
"Effect": "Allow",
"Action": "dynamodb:UpdateItem",
"Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>",
"Condition": {
"StringEquals": {
"dynamodb:ReturnValues": [
"NONE",
"UPDATED_OLD",
"UPDATED_NEW"
]
},
"ForAllValues:StringLike": {
"dynamodb:Attributes": "Name"
}
}
},
{
"Sid": "GetAll",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ListTagsOfResource",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>"
}
]
}
The Result:
- When trying to update-item I get
AccessDeniedException
. - When trying to other operations they work normally.
I'm not very much into IAM rules, especially Condition
section 😕. Any help will be appreciated.
答案1
得分: 1
Name
是 DynamoDB 中的一个保留字。也许这就是你的问题所在?
英文:
Name
is a reserved word in DynamoDB. Perhaps that's your problem?
答案2
得分: 1
我认为预期的是一个值数组:
"ForAllValues:StringLike": {
"dynamodb:Attributes": ["Name"]
}
英文:
I think an array of values is expected:
"ForAllValues:StringLike": {
"dynamodb:Attributes": ["Name"]
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论