问题描述
我正在尝试通过对表具有全部访问权限的用户访问我的DynamoDB。
但是,我无法在LSI中查询同一张表。它说用户没有查询索引的权限。
我检查了文档,发现索引需要像arn:aws:dynamodb:region:account-id:table / table-name / index / index-name一样单独定义
但是我不确定如何在cloudformation yml文件中定义它。
BooksTable:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
TableName:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTable
BillingMode: PAY_PER_REQUEST
KeySchema:
- AttributeName: hashKey
KeyType: HASH
- AttributeName: rangeKey
KeyType: RANGE
LocalSecondaryIndexes:
- IndexName: LSI1
KeySchema:
- AttributeName: hashKey
KeyType: HASH
- AttributeName: clientToken
KeyType: RANGE
Projection:
ProjectionType: ALL
AttributeDeFinitions:
- AttributeName: hashKey
AttributeType: S
- AttributeName: rangeKey
AttributeType: S
- AttributeName: clientToken
AttributeType: S
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
TimetoLiveSpecification:
AttributeName: expirationTime
Enabled: true
Outputs:
BooksTableName:
Description: books table.
Value:
!Ref BooksTable
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTableName
BooksTableArn:
Description: Arn for books DynamoDB Table
Value:
Fn::GetAtt: [ BooksTable,Arn ]
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksTableArn
BooksTableStreamArn:
Description: The DDB stream for the books table.
Value:
Fn::GetAtt: [BooksTable,StreamArn]
Export:
Name:
Fn::Sub: ${SamStackPrefix}${Stage}-BooksstreamArn
IAM政策
Policies:
- PolicyDocument:
Statement:
- Action: ['dynamodb:PutItem','dynamodb:ConditionCheckItem','dynamodb:Query','dynamodb:GetItem','dynamodb:UpdateItem']
Effect: Allow
Resource:
- Fn::GetAtt: [BooksTable,Arn]
如何将LSI添加到资源列表中,以便我可以使用该ARN在策略文档中添加权限。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)