Description
Describe the bug
Related to 1540, but with a new caveat. There was previously a bug with granting constructs access to a table, where the policy it created would not grant access to any secondary indexes. This was addressed in PR 1564. Notably, I think this was before TableV2 was introduced.
However I have just found that, when importing with cdk.aws_dynamodb.TableV2.fromTableArn, grantFullAccess still does not give adequate permissions for indexes in that case.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
No response
Expected Behavior
grantFullAccess should grant access to any indexes of the table.
Current Behavior
grantFullAccess does not access to any indexes of the table.
Reproduction Steps
1: Create a table with an index in AWS.
2: Import the table into a construct with fromTableArn
3: Do grantFullAccess to a lambda
4: Try to access the index from the lambda - this will fail to due inadequate permissions.
Possible Solution
I presume either:
1 - The ITableV2 created by fromTableArn may not be aware of the indexes on the imported table, so did not add permissions for them.
2 - Since TableV2 is newer than the fix, this may have been a regression. However I have not tested a v1 ITable so I can't confirm this.
Additional Information/Context
The table I imported where I discovered this is a couple of years old, and was originally created in AWS SAM, but that should not prevent this from working.
CDK CLI Version
2.1005.0 (build be378de)
Framework Version
2.181.1
Node.js Version
v20.15.1
OS
Ubuntu 24.04
Language
TypeScript
Language Version
5.6.3
Other information
This is the policy that was added:
{
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:eu-west-1:[account]:table/[mytablename]",
"Effect": "Allow"
}
Notably lacking any permissions for /index