Skip to content

Commit

Permalink
fix(dynamodb): grantTableListStreams() permissions have incorrect Res…
Browse files Browse the repository at this point in the history 
…ource (#10631)

This action does not support resource ARN patterns, only `*`.

Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazondynamodb.html

Fixes #9511

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@ayush987goyal
ayush987goyal authored Oct 15, 2020
1 parent 5bc9709 commit b2f16b3
Show file tree
Hide file tree
Showing 5 changed files with 10 additions and 101 deletions.
5 changes: 1 addition & 4 deletions packages/@aws-cdk/aws-dynamodb/lib/table.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -565,10 +565,7 @@ abstract class TableBase extends Resource implements ITable {
return iam.Grant.addToPrincipal({
grantee,
actions: ['dynamodb:ListStreams'],
resourceArns: [
Lazy.stringValue({ produce: () => `${this.tableArn}/stream/*` }),
...this.regionalArns.map(arn => Lazy.stringValue({ produce: () => `${arn}/stream/*` })),
],
resourceArns: ['*'],
});
}

Expand Down
74 changes: 6 additions & 68 deletions packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -600,20 +600,7 @@ test('if an encryption key is included, decrypt permissions are also added for g
{
'Action': 'dynamodb:ListStreams',
'Effect': 'Allow',
'Resource': {
'Fn::Join': [
'',
[
{
'Fn::GetAtt': [
'TableA3D7B5AFA',
'Arn',
],
},
'/stream/*',
],
],
},
'Resource': '*',
},
{
'Action': [
Expand Down Expand Up @@ -1784,7 +1771,7 @@ describe('grants', () => {
{
'Action': 'dynamodb:ListStreams',
'Effect': 'Allow',
'Resource': { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['mytable0324D45C', 'Arn'] }, '/stream/*']] },
'Resource': '*',
},
],
'Version': '2012-10-17',
Expand Down Expand Up @@ -1830,7 +1817,7 @@ describe('grants', () => {
{
'Action': 'dynamodb:ListStreams',
'Effect': 'Allow',
'Resource': { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['mytable0324D45C', 'Arn'] }, '/stream/*']] },
'Resource': '*',
},
{
'Action': [
Expand Down Expand Up @@ -2145,7 +2132,7 @@ describe('import', () => {
{
Action: 'dynamodb:ListStreams',
Effect: 'Allow',
Resource: stack.resolve(`${table.tableArn}/stream/*`),
Resource: '*',
},
],
Version: '2012-10-17',
Expand Down Expand Up @@ -2173,7 +2160,7 @@ describe('import', () => {
{
Action: 'dynamodb:ListStreams',
Effect: 'Allow',
Resource: stack.resolve(`${table.tableArn}/stream/*`),
Resource: '*',
},
{
Action: ['dynamodb:DescribeStream', 'dynamodb:GetRecords', 'dynamodb:GetShardIterator'],
Expand Down Expand Up @@ -2638,56 +2625,7 @@ describe('global', () => {
{
Action: 'dynamodb:ListStreams',
Effect: 'Allow',
Resource: [
{
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':dynamodb:us-east-1:',
{
Ref: 'AWS::AccountId',
},
':table/my-table/stream/*',
],
],
},
{
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':dynamodb:eu-west-2:',
{
Ref: 'AWS::AccountId',
},
':table/my-table/stream/*',
],
],
},
{
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':dynamodb:eu-central-1:',
{
Ref: 'AWS::AccountId',
},
':table/my-table/stream/*',
],
],
},
],
Resource: '*',
},
],
Version: '2012-10-17',
Expand Down
15 changes: 1 addition & 14 deletions packages/@aws-cdk/aws-lambda-event-sources/test/integ.dynamodb.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,20 +39,7 @@
{
"Action": "dynamodb:ListStreams",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TD925BC7E",
"Arn"
]
},
"/stream/*"
]
]
}
"Resource": "*"
},
{
"Action": [
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-lambda-event-sources/test/test.dynamo.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ export = {
{
'Action': 'dynamodb:ListStreams',
'Effect': 'Allow',
'Resource': { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['TD925BC7E', 'Arn'] }, '/stream/*']] },
'Resource': '*',
},
{
'Action': [
Expand Down
15 changes: 1 addition & 14 deletions packages/decdk/test/__snapshots__/synth.test.js.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1092,20 +1092,7 @@ Object {
Object {
"Action": "dynamodb:ListStreams",
"Effect": "Allow",
"Resource": Object {
"Fn::Join": Array [
"",
Array [
Object {
"Fn::GetAtt": Array [
"TableCD117FA1",
"Arn",
],
},
"/stream/*",
],
],
},
"Resource": "*",
},
Object {
"Action": Array [
Expand Down

0 comments on commit b2f16b3

Please sign in to comment.