ADO.NET Provider for Amazon DynamoDB

Build 24.0.9060

Minimum IAM Requirements

We recommend using predefined roles for services rather than creating custom IAM policies. Predefined roles for Amazon DynamoDB are

  • AmazonDynamoDBReadOnlyAccess-grants read-only access to DynamoDB resources through the AWS Management Console.
  • AmazonDynamoDBFullAccess-grants full access to DynamoDB resources through the AWS Management Console.
If you want to create custom polices, use the roles described in the table below. Note that the specific policies required by the Amazon DynamoDB driver are subject to change in future releases. Amazon DynamoDB requires at a mininum the following permissions:

IAM RoleDescription
dynamodb:ListTablesRequired for getting a list of your DynamoDB tables. Used during metadata retrieval to dynamically determine the list of your tables. Note that this action does not support resource-level permissions and requires you to choose All resources (hence the * for "Resource").
In other words, the action dynamodb:ListTables needs a * Resource, and the other actions can be given permission to all the tables arn:aws:dynamodb:us-east-1:987654321098:table/* or to a list of specific tables:
          "Resource": [
              "arn:aws:dynamodb:us-east-1:987654321098:table/Customers",
              "arn:aws:dynamodb:us-east-1:987654321098:table/Orders"
          ]
dynamodb:DescribeTableRequired for getting metadata about the selected table. Used during table metadata retrieval to dynamically determine the list of the columns. This action supports resource-level permissions, so you can specify the tables you want to get the metadata from. For example, for the table Customers and Orders in the region Northern Virginia us-east-1, for account 987654321098:
      {
          "Effect": "Allow",
          "Action": [
              "dynamodb:DescribeTable"
          ],
          "Resource": [
              "arn:aws:dynamodb:us-east-1:987654321098:table/Customers",
              "arn:aws:dynamodb:us-east-1:987654321098:table/Orders"
          ]
      }

To give permissions to all the tables in the region you specified in the connection property AWSRegion, use an * instead of the table name:
"Resource": "arn:aws:dynamodb:us-east-1:987654321098:table/*"
dynamodb:ScanRequired for getting one or more items by accessing every item in the table. Used for most of the SELECT queries, for example, SELECT * FROM [Customers]. This action supports resource-level permissions, so you can specify the tables you want to get data from, similar to dynamodb:DescribeTable.
dynamodb:PartiQLSelectRequired for getting specific items from a table when using SELECT queries and filtering by the primary key column, for example, SELECT * FROM [Customers] WHERE id=1234. This action supports resource-level permissions, so you can specify the tables you want to get data from, similar to dynamodb:DescribeTable.
dynamodb:PartiQLInsertRequired for inserting data to a table. This action supports resource-level permissions, so you can specify the tables you want to insert data to, similar to dynamodb:DescribeTable.
dynamodb:PartiQLUpdateRequired for modifying data in a table. This action supports resource-level permissions, so you can specify the tables you want to modify data on, similar to dynamodb:DescribeTable.
dynamodb:PartiQLDeleteRequired for deleting data from a table. This action supports resource-level permissions, so you can specify the tables you want to delete data from, similar to dynamodb:DescribeTable.
dynamodb:CreateTableRequired for creating a table. This action supports resource-level permissions, so you can specify the table names you can create.

Copyright (c) 2024 CData Software, Inc. - All rights reserved.
Build 24.0.9060