I am trying to create a simple IAM role to have my AppSync service connect to my DynamoDb database, but because AppSync is in preview, IAM does not recognize AppSync as a service. How do I create an IAM role for to let AppSync have full access to DynamoDb?
The trusted relationships side looks something like this
Example Trusted Relationships Doc
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
The policy doc is basically the same as always
Example Policy Doc
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
If you are using a CloudFormation template, it might look like this
Example CloudFormation Template
AppSyncRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "appsync.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
-
PolicyName: "appsync-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "dynamodb:PutItem"
- "dynamodb:UpdateItem"
- "dynamodb:DeleteItem"
- "dynamodb:GetItem"
- "dynamodb:Query"
- "dynamodb:Scan"
Resource: "*"
Related
I'm trying to add a custom resource via amplify. I proceeded to add the resource in CustomResources.json but it gives me an error:
CustomResourcesjson AWS::CloudFormation::Stack UPDATE_FAILED Thu Nov 24 2022 13:18:36…
🛑 An error occurred during the push operation: /
Resource is not in the state stackUpdateComplete
I also used the amplify add custom command in AWSCloudformation format but it gave me another type of error.
My goal is to reproduce this procedure written for serverless, but on amplify:
- type: AMAZON_DYNAMODB
name: likeMutation
config:
tableName: !Ref LikesTable
iamRoleStatements:
- Effect: Allow
Action: dynamodb:PutItem
Resource: !GetAtt LikesTable.Arn
- Effect: Allow
Action: dynamodb:UpdateItem
Resource:
- !GetAtt UsersTable.Arn
- !GetAtt TweetsTable.Arn
It is about creating a data source connected to a table but whose permissions allow you to perform operations on other tables.
The resource I added in the CustomResources.js file is:
"LikeMutationDataSource": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": "f353mqkxyzcgncck6xqbtdlboe",
"DynamoDBConfig": {
"AwsRegion": "eu-west-1",
"TableName": "Likes-f353mqkxyzcgncck6xqbtdlboe-dev"
},
"Name": "LikeMutation",
"ServiceRoleArn": {
"Fn::GetAtt": [
"LikeMutationRoleMine"
]
},
"Type": "AMAZON_DYNAMODB"
}
}
},
"LikeMutationRoleMine": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"RoleName": "LikeMutationRoleMine"
}
},
"LikeMutationPolicyMine": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "dynamodb:PutItem",
"Resource": [
"arn:aws:dynamodb:eu-west-1:043166218277:table/Likes-f353mqkxyzcgncck6xqbtdlboe-dev",
"arn:aws:dynamodb:eu-west-1:043166218277:table/Likes-f353mqkxyzcgncck6xqbtdlboe-dev/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "dynamodb:UpdateItem",
"Resource": [
"arn:aws:dynamodb:eu-west-1:043166218277:table/User-f353mqkxyzcgncck6xqbtdlboe-dev",
"arn:aws:dynamodb:eu-west-1:043166218277:table/Post-f353mqkxyzcgncck6xqbtdlboe-dev",
"arn:aws:dynamodb:eu-west-1:043166218277:table/Post-f353mqkxyzcgncck6xqbtdlboe-dev/*",
"arn:aws:dynamodb:eu-west-1:043166218277:table/User-f353mqkxyzcgncck6xqbtdlboe-dev/*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "LikeMutationPolicyMine",
"Roles": [
{
"Ref": "LikeMutationRoleMine"
}
]
}
Help me to implement this DataSource with amplify.
I've been looking for a solution for two days!
Thankyou all
I am trying to create a DDB policy whereby the Cognito user id (sub) should be equal to the DynamoDB table name. The table name in DDB is the user's id (sub).
So the policy should limit access to the user's table for that user only.
Below is a pseudo policy I have created.
What is unclear to me is how do I specify that the user id ( sub ) should be equal to the DDB table name ?
{
"Version": "2020-11-01",
"Statement": [
{
"Sid": "xxxxxxxxxxxxxx",
"Effect": "Allow",
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
],
"Resource": [ "arn:aws:dynamodb:<REGION>:<ACCOUNT_ID>:table/<${www.amazon.com:user_id}>"]
}
DDB TABLE NAME SHOULD MATCH USER ID HERE ${www.amazon.com:user_id}
]
}
Unfortunately you cannot currently do it with DynamoDB. This is because the table resource for DynamoDB does no support any condition keys (see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html#amazondynamodb-resources-for-iam-policies).
The only thing you could possibly do is to limit access per leading keys using the dynamodb:LeadingKeys condition. This again would only work for the Query action. Does not work on Scan (obviously). Your policy would then look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query"
],
"Resource": ["arn:aws:dynamodb:*:*:table/MyTable"],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]
}
}
}
]
}
I have an aws ecs ec2 instance in one account and it is trying to access the dynamob db tables on another aws account. I am not using any aws access key and id, instead using AWS iam role attached to the ec2 instance.
This is a .net project and my appsettings.Staging.json is this.
{
"aws": {
"region": "ap-southeast-1"
},
"DynamoDbTables": {
"BenefitCategory": "stag_table1",
"Benefit": "stag_table2"
},
"Logging": {
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
}
}
Here is my inline policy attached to the "ecsInstanceRole"
"xxxxxxxxxxxxx" >> this is the aws account on which the dynamodb table resides.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:DescribeTable",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:DeleteTable",
"dynamodb:UpdateTable",
"dynamodb:GetRecords"
],
"Resource": [
"arn:aws:dynamodb:ap-southeast-1:xxxxxxxxxxx:table/stag_table1",
"arn:aws:dynamodb:ap-southeast-1:xxxxxxxxxxx:table/stag_table2",
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"dynamodb:ListGlobalTables",
"dynamodb:ListTables"
],
"Resource": "*"
}
]
}
In this set up the api is trying to connect to the table in the same account. I have added the other aws account in the trusted entity in the role ecsInstanceRole still not working.
is there any way the aws sdk or aws ecs/ec2 instance automatically find dynamodb table in the other aws account?
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
A role policy for ec2 will be needed in both accounts, and a trust policy allowing the EC2 service to assume those roles. The role policy in the Destination account will have give IAM permissions to the Dynamodb table.
Then the Source EC2 instance will have to assume that role to get access to the table.
Grant the EC2 Server access to assume the role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "abcdTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::SOURCE_ACCOUNT_ID:role/NAME_A"}
}
]
}
Allowing NAME_A Instance Profile Role to Switch to a Role in Another Account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToAssumeCrossAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::DESTINATION_ACCOUNT_ID:role/ACCESS_DYNAMODB"
}
]
}
Role granting access to Dynamodb named ACCESS_DYNAMODB
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDDBActions",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
}
]
}
Trust policy in Destination
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DestinationTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"}
}
]
}
I am trying to deploy my sampleApplication code via AWS CodeDeploy for Bitbucket
I have used this tutorial, I have followed all the steps. Trust Relationship for role is like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountId:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "connectionId"
}
}
}
]
}
and while I am creating a deployment group I got error of 'can't assume role' when I select above role as Service role ARN*.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
But when I add above trust relationship I can crete deployment group but then aws integration on bitbucket doesn't work and throw error to add sufficient permission.
Neither of your posted roles have given permission to CodeCommit or S3.
As per the tutorial you linked, you must provide access to CodeCommit and S3. These are likely the permissions you are missing:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets", "s3:PutObject"],
"Resource": "arn:aws:s3:::*"
}, {
"Effect": "Allow",
"Action": ["codedeploy:*"],
"Resource": "*"
}]
}
I have a 3-node cluster with SX running on Ubuntu v14.04.5 LTS with ports 80 & 443 and Libres3 running on the same servers with ports 8008 & 8443.
libres3 1.3-1-1~wheezy
sx 2.1-1-1~wheezy
s3cmd info s3://test-dev
s3://test-dev/ (bucket): Location: us-east-1 Payer:
BucketOwner Expiration Rule: none policy: { "Version":
"2012-10-17", "Statement": [
{
"Effect": "Allow",
"Principal": "",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::test-dev/"
} ] } cors: OptionPUTPOSTGETHEAD3000* ACL: admin: FULL_CONTROL ACL: test: FULL_CONTROL
I'm trying to put files from a Meteor application using the Slingshot package: https://github.com/CulturalMe/meteor-slingshot
but getting
'Access Denied':
"Sep 6 11:10:46: main: Replying with code 403: Access Deniedlibres3_1ff0aa644987498111ea4c91bca7b532_13817_587_1473174646.21AccessDenied
"
I can use S3 Browser and Cloudberry Explorer with the same credentials and access the buckets no problem.
Any thoughts or directions to solve putting files from the web?
Thanks,
-Matt
{ "Version": "2012-10-17",
"Statement":
[
{ "Effect":"Allow",
"Principal": "",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::test-dev/*"
}
]
}
You need to add "*" after "test-dev/"