Amazon DynamoDB&IAM – 允许update-item更改单个属性

huangapple go评论87阅读模式
英文:

Amazon DynamoDB & IAM - Allow update-item to change a single attribute

问题

描述:

我有一个包含50个项目的表格,每个项目至少有三个属性NameAgeE-mail

用户应该能够:

  1. 对特定项目的Name执行update

  2. 对所有项目的属性执行以下操作:

  • BatchGetItem
  • ConditionCheckItem
  • DescribeTable
  • GetItem
  • Scan
  • ListTagsOfResource
  • Query

我尝试过的:

我在IAM中使用了这个策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "UserNameUpdate",
            "Effect": "Allow",
            "Action": "dynamodb:UpdateItem",
            "Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>",
            "Condition": {
                "StringEquals": {
                    "dynamodb:ReturnValues": [
                        "NONE",
                        "UPDATED_OLD",
                        "UPDATED_NEW"
                    ]
                },
                "ForAllValues:StringLike": {
                    "dynamodb:Attributes": "Name"
                }
            }
        },
        {
            "Sid": "GetAll",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:ConditionCheckItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:ListTagsOfResource",
                "dynamodb:Query"
            ],
            "Resource": "arn:aws:dynamodb:<region>:<account>:table/<tableName>"
        }
    ]
}

结果:

  • 尝试更新项目时,我收到了AccessDeniedException
  • 尝试其他操作时,它们正常工作。

我对IAM规则不是很了解,尤其是Condition部分 😓。任何帮助都将不胜感激。

英文:

Description:

I have a table with 50 items, each item has at least three attributes Name, Age and E-mail.

The user should be able to:

  1. Perform update on a specific item's Name.

  2. Perform these operations on all items' attributes:

  • BatchGetItem
  • ConditionCheckItem
  • DescribeTable
  • GetItem
  • Scan
  • ListTagsOfResource
  • Query

What I've Tried:

I used this policy in IAM:

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Sid&quot;: &quot;UserNameUpdate&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;,
            &quot;Action&quot;: &quot;dynamodb:UpdateItem&quot;,
            &quot;Resource&quot;: &quot;arn:aws:dynamodb:&lt;region&gt;:&lt;account&gt;:table/&lt;tableName&gt;&quot;,
            &quot;Condition&quot;: {
                &quot;StringEquals&quot;: {
                    &quot;dynamodb:ReturnValues&quot;: [
                        &quot;NONE&quot;,
                        &quot;UPDATED_OLD&quot;,
                        &quot;UPDATED_NEW&quot;
                    ]
                },
                &quot;ForAllValues:StringLike&quot;: {
                    &quot;dynamodb:Attributes&quot;: &quot;Name&quot;
                }
            }
        },
        {
            &quot;Sid&quot;: &quot;GetAll&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;,
            &quot;Action&quot;: [
                &quot;dynamodb:BatchGetItem&quot;,
                &quot;dynamodb:ConditionCheckItem&quot;,
                &quot;dynamodb:DescribeTable&quot;,
                &quot;dynamodb:GetItem&quot;,
                &quot;dynamodb:Scan&quot;,
                &quot;dynamodb:ListTagsOfResource&quot;,
                &quot;dynamodb:Query&quot;
            ],
            &quot;Resource&quot;: &quot;arn:aws:dynamodb:&lt;region&gt;:&lt;account&gt;:table/&lt;tableName&gt;&quot;
        }
    ]
}

The Result:

  • When trying to update-item I get AccessDeniedException.
  • When trying to other operations they work normally.

I'm not very much into IAM rules, especially Condition section 😕. Any help will be appreciated.

答案1

得分: 1

Name 是 DynamoDB 中的一个保留字。也许这就是你的问题所在?

英文:

Name is a reserved word in DynamoDB. Perhaps that's your problem?

答案2

得分: 1

我认为预期的是一个值数组:

"ForAllValues:StringLike": {
    "dynamodb:Attributes": ["Name"]
}
英文:

I think an array of values is expected:

&quot;ForAllValues:StringLike&quot;: {
    &quot;dynamodb:Attributes&quot;: [&quot;Name&quot;]
}

huangapple
  • 本文由 发表于 2020年9月25日 01:06:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/64051173.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定