Hi,
I’m trying to define iamRoleStatements section for two DynamoDB tables. I’ve found different YAML-styles of defining this on different websites, but neither of them worked. Here’s what I tried.
Version 1:
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:Query
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource:
- Fn::GetAtt:
- EntitiesTable
- Arn
- Fn::GetAtt:
- UsersTable
- Arn
Version 2:
iamRoleStatements:
...
Resource:
- { "Fn::GetAtt": ["EntitiesTable", "Arn"] }
- { "Fn::GetAtt": ["UsersTable", "Arn"] }
Version 3:
iamRoleStatements:
...
Resource:
"Fn::GetAtt":
- [ EntitiesTable, Arn ]
- [ UsersTable, Arn ]
As I mentioned, none of the above works: I’m always getting either
An error occurred: UsersTable - User: arn:aws:iam:::user/spatial-stream is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-north-1::table/dev-users (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException;
or
An error occurred: EntitiesTable - User: arn:aws:iam:::user/spatial-stream is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-north-1::table/dev-entities (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException;
So only the problematic table changes, but not the error itself.
Is it that all of these approaches are wrong and I need some other syntax, or I’m facing some kind of a bug?