将策略附加到 DynamoDB 现有表
您可以使用 DynamoDB 控制台、PutResourcePolicy API、Amazon CLI、Amazon SDK 或 Amazon CloudFormation 模板将基于资源的策略附加到现有表或修改现有策略。
以下 IAM 策略示例使用 put-resource-policy
Amazon CLI 命令将基于资源的策略附加到现有表。此示例允许用户 John
对名为 MusicCollection
的现有表执行 GetItem、PutItem、UpdateItem 和 UpdateTable API 操作。
切记用特定资源信息替换斜体
文本。
aws dynamodb put-resource-policy \ --resource-arn arn:aws:dynamodb:us-west-2:
123456789012
:table/MusicCollection
\ --policy \ "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333
:user/John
\" }, \"Action\": [ \"dynamodb:GetItem\", \"dynamodb:PutItem\", \"dynamodb:UpdateItem\", \"dynamodb:UpdateTable\" ], \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012
:table/MusicCollection
\" } ] }"
要有条件地更新表现有的基于资源的策略,可以使用可选 expected-revision-id
参数。以下示例仅当策略存在于 DynamoDB 中且其当前修订版 ID 与提供的 expected-revision-id
参数相匹配时,才会更新该策略。
aws dynamodb put-resource-policy \ --resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/
MusicCollection
\ --expected-revision-id 1709841168699 \ --policy \ "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:user/John
\" }, \"Action\": [ \"dynamodb:GetItem\", \"dynamodb:UpdateItem\", \"dynamodb:UpdateTable\" ], \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection
\" } ] }"
登录 Amazon Web Services Management Console,并打开 DynamoDB 控制台:https://console.aws.amazon.com/dynamodb/
。 -
在控制面板中,选择现有表。
-
导航到权限选项卡,然后选择创建表策略。
-
在基于资源的策略编辑器中,添加要附加的策略,然后选择创建策略。
以下 IAM 策略示例允许用户
John
对名为MusicCollection
的现有表执行 GetItem、PutItem、UpdateItem 和 UpdateTable API 操作。切记用特定资源信息替换
斜体
文本。{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
111122223333
:user/John
" }, "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:UpdateTable" ], "Resource": "arn:aws:dynamodb:us-west-2:123456789012
:table/MusicCollection
" } ] }
以下 IAM 策略示例使用 putResourcePolicy
方法将基于资源的策略附加到现有表。此策略允许用户对现有表执行 GetItem API 操作。
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.dynamodb.DynamoDbClient; import software.amazon.awssdk.services.dynamodb.model.DynamoDbException; import software.amazon.awssdk.services.dynamodb.model.PutResourcePolicyRequest; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * Get started with the Amazon SDK for Java 2.x */ public class PutResourcePolicy { public static void main(String[] args) { final String usage = """ Usage: <tableArn> <allowedAWSPrincipal> Where: tableArn - The Amazon DynamoDB table ARN to attach the policy to. For example, arn:aws:dynamodb:us-west-2:
123456789012
:table/MusicCollection
. allowedAmazonPrincipal - Allowed Amazon principal ARN that the example policy will give access to. For example, arn:aws:iam::123456789012
:user/John
. """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String tableArn = args[0]; String allowedAWSPrincipal = args[1]; System.out.println("Attaching a resource-based policy to the Amazon DynamoDB table with ARN " + tableArn); Region region = Region.US_WEST_2; DynamoDbClient ddb = DynamoDbClient.builder() .region(region) .build(); String result = putResourcePolicy(ddb, tableArn, allowedAWSPrincipal); System.out.println("Revision ID for the attached policy is " + result); ddb.close(); } public static String putResourcePolicy(DynamoDbClient ddb, String tableArn, String allowedAWSPrincipal) { String policy = generatePolicy(tableArn, allowedAWSPrincipal); PutResourcePolicyRequest request = PutResourcePolicyRequest.builder() .policy(policy) .resourceArn(tableArn) .build(); try { return ddb.putResourcePolicy(request).revisionId(); } catch (DynamoDbException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } private static String generatePolicy(String tableArn, String allowedAWSPrincipal) { return "{\n" + " \"Version\": \"2012-10-17\",\n" + " \"Statement\": [\n" + " {\n" + " \"Effect\": \"Allow\",\n" + " \"Principal\": {\"AWS\":\"" + allowedAWSPrincipal + "\"},\n" + " \"Action\": [\n" + " \"dynamodb:GetItem\"\n" + " ],\n" + " \"Resource\": \"" + tableArn + "\"\n" + " }\n" + " ]\n" + "}"; } }