aws_dynamodb: `grant*Data()` should include the `dynamodb:DescribeTable` permission

[jusdino]

Description

Table should have a grant* method that grants dynamodb:DescribeTable.

Use Case

I recently encountered a case where I need a lambda to inspect the key schema for the table it is putting items to, but it had AccessDenied when attempting to do so, with the stated error that it was not authorized to perform dynamodb:DescribeTable.

Proposed Solution

I'm thinking it is reasonable to add dynamodb:DescribeTable to the grantReadWriteData() method and I'm happy to work up a pull request to do so. Alternately, I can add a grantDescribeTable() or something along those lines, if that is your preference. I would just start with a pull request but I'm not sure what direction you would prefer me to go, especially since this change would add an action to existing resources - not sure if that counts as breaking or not.

Other information

No response

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[skinny85]

Hey @jusdino,

thanks so much for opening the issue, and for your willingness to create a PR for this!

This is definitely an interesting case! I think adding 'dynamodb:DescribeTable' to the collection of read permissions given by grantReadData() is actually not a great idea - I feel like it's not a "data" permission per se, so doesn't really fit that well in my mind.

What do you think about creating a new method, grantRead() (no "data"), which, at first, grants only 'dynamodb:DescribeTable'? We can extend that set with time as we see fit.

Let me know what you think!

Thanks,
Adam

Edit: I've changed my mind on this. Let's add dynamodb:DescribeTable to all of the grant*Data() methods. See #18773 (comment).

[jusdino]

Definitely. I'll work that up soon as I can. Thanks for the quick response!

[chris-smith-zocdoc]

@skinny85 I'd like to make the argument that dynamodb:DescribeTable should be added to all of the data grant functions

grantReadWriteData
grantReadData
grantWriteData

because dynamodb:DescribeTable is used by the HigherLevel DDB client in both .net and java

This means applications that use the high level client need to have two lines in their cdk application instead of one.

myTable.grantReadWriteData(myEcsTaskRole);
myTable.grant(myEcsTaskRole, 'dynamodb:DescribeTable');

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HigherLevelInterfaces.html

pseudo .net code that results in an access error because dynamodb:DescribeTable is missing

var client = new AmazonDynamoDBClient(...);
var context = new DynamoDBContext(client, new DynamoDBContextConfig { 
    ...
});

var item = await context.LoadAsync<MyItem>("my-key");

[skinny85]

Yes, I agree @chris-smith-zocdoc. I'll update the issue title to reflect that.