Configure permissions to work with user-defined types (UDTs) in Amazon Keyspaces
Like tables, UDTs are bound to a specific keyspace. But unlike tables, you can't define permissions directly for types. Types are not considered resources in Amazon and they have no unique identifiers in the format of Amazon Resource Names (ARNs). Instead, to give an IAM principal permissions to perform specific actions on a type, you have to define permissions for the keyspace that the type is bound to.
To be able to create, view, or delete UDTs, the principal, for example the IAM user or role, needs permissions to perform the same action on the keyspace.
For more information about Amazon Identity and Access Management, see Amazon Identity and Access Management for Amazon Keyspaces.
Permissions to create a UDT
To create a UDT, the principal needs Create
permissions for the keyspace.
The following IAM policy is an example of this.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cassandra:Create", "Resource": [ "arn:aws:cassandra:
aws-region
:111122223333:/keyspace/my_keyspace
/" ] } ] }
Permissions to view a UDT
To view or list UDTs, the principal needs read permissions for the system keyspace. For more information, see system_schema_mcs.
The following IAM policy is an example of this.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"cassandra:Select", "Resource":[ "arn:aws:cassandra:
aws-region
:111122223333:/keyspace/system*" ] } ] }
Permissions to delete a UDT
To delete a UDT, the principal needs Drop
permissions for the keyspace.
The following IAM policy is an example of this.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cassandra:Drop", "Resource": [ "arn:aws:cassandra:
aws-region
:111122223333:/keyspace/my_keyspace
/" ] } ] }