英文:
Amazon DynamoDB & IAM - Allow update-item to change a single attribute
问题
描述:
我有一个包含50个项目的表格,每个项目至少有三个属性Name、Age和E-mail。
用户应该能够:
-
对特定项目的
Name执行update。 -
对所有项目的属性执行以下操作:
- BatchGetItem
- ConditionCheckItem
- DescribeTable
- GetItem
- Scan
- ListTagsOfResource
- Query
我尝试过的:
我在IAM中使用了这个策略:
{"Version": "2012-10-17","Statement": [{"Sid": "UserNameUpdate","Effect": "Allow","Action": "dynamodb:UpdateItem","Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>","Condition": {"StringEquals": {"dynamodb:ReturnValues": ["NONE","UPDATED_OLD","UPDATED_NEW"]},"ForAllValues:StringLike": {"dynamodb:Attributes": "Name"}}},{"Sid": "GetAll","Effect": "Allow","Action": ["dynamodb:BatchGetItem","dynamodb:ConditionCheckItem","dynamodb:DescribeTable","dynamodb:GetItem","dynamodb:Scan","dynamodb:ListTagsOfResource","dynamodb:Query"],"Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>"}]}
结果:
- 尝试更新项目时,我收到了
AccessDeniedException。 - 尝试其他操作时,它们正常工作。
我对IAM规则不是很了解,尤其是Condition部分 😓。任何帮助都将不胜感激。
英文:
Description:
I have a table with 50 items, each item has at least three attributes Name, Age and E-mail.
The user should be able to:
-
Perform
updateon a specific item'sName. -
Perform these operations on all items' attributes:
- BatchGetItem
- ConditionCheckItem
- DescribeTable
- GetItem
- Scan
- ListTagsOfResource
- Query
What I've Tried:
I used this policy in IAM:
{"Version": "2012-10-17","Statement": [{"Sid": "UserNameUpdate","Effect": "Allow","Action": "dynamodb:UpdateItem","Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>","Condition": {"StringEquals": {"dynamodb:ReturnValues": ["NONE","UPDATED_OLD","UPDATED_NEW"]},"ForAllValues:StringLike": {"dynamodb:Attributes": "Name"}}},{"Sid": "GetAll","Effect": "Allow","Action": ["dynamodb:BatchGetItem","dynamodb:ConditionCheckItem","dynamodb:DescribeTable","dynamodb:GetItem","dynamodb:Scan","dynamodb:ListTagsOfResource","dynamodb:Query"],"Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>"}]}
The Result:
- When trying to update-item I get
AccessDeniedException. - When trying to other operations they work normally.
I'm not very much into IAM rules, especially Condition section 😕. Any help will be appreciated.
答案1
得分: 1
Name 是 DynamoDB 中的一个保留字。也许这就是你的问题所在?
英文:
Name is a reserved word in DynamoDB. Perhaps that's your problem?
答案2
得分: 1
我认为预期的是一个值数组:
"ForAllValues:StringLike": {"dynamodb:Attributes": ["Name"]}
英文:
I think an array of values is expected:
"ForAllValues:StringLike": {"dynamodb:Attributes": ["Name"]}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论