AWS CDK setup appsync with dynamodb table permissions

余生长醉 提交于 2021-02-11 06:18:26

问题


I am using the new higher level GraphqlAPI class instead of the lower level constructs to create my Appsync api and connect it to a table.

this.api = new GraphqlApi(...);

The new GraphqlApi instance allows you to simply add datasources:

this.api.addDynamoDbDataSource('name', tableRef);

If you look at the example code at https://docs.aws.amazon.com/cdk/api/latest/docs/aws-appsync-readme.html, I notice that they do not create a role to grant permission for Appsync to access the table:

const itemsTableRole = new Role(this, 'ItemsDynamoDBRole', {
      assumedBy: new ServicePrincipal('appsync.amazonaws.com')
});

This snippet I got from this example: https://github.com/aws-samples/aws-cdk-examples/blob/master/typescript/appsync-graphql-dynamodb/index.ts

In that example they still use the CfnGraphQLApi construct. So there they are adding the role and the are adding a policy to the role for a table with permission to do specific actions. Which makes sense.

So my question is, when using the GrahpQl class, if I don't add a Role I can't execute my queries. And if I don't add permissions like:

this.appSyncRole.addToPolicy(new PolicyStatement({
        actions: ['dynamodb:*'],
        resources: [`${table.tableArn}/index/*`],
        effect: Effect.ALLOW
      }));

then I am getting an error like:

"message":"User: arn:aws:sts::[ACCOUNT]:assumed-role/[ROLENAME]/APPSYNC_ASSUME_ROLE is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb[REGION]:[ACCOUNT]:table/[TABLENAME]/index/byEmail 

So is this example for GrahpqlQl not complete or am I missing something else?

来源:https://stackoverflow.com/questions/64039735/aws-cdk-setup-appsync-with-dynamodb-table-permissions

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!