amazon web services - AWS IAM -- Using conditionals -


i new iam in aws. and, desire restrict query various users table entries primary key matches cognito id. achieve this, created policy:

{ "version": "2012-10-17", "statement": [     {         "sid": "allowaccesstoonlyitemsmatchinguserid",         "effect": "allow",         "action": [             "dynamodb:getitem",             "dynamodb:batchgetitem",             "dynamodb:query",             "dynamodb:putitem",             "dynamodb:updateitem",             "dynamodb:deleteitem",             "dynamodb:batchwriteitem"         ],         "resource": [             "arn:aws:dynamodb:us-east-1:xxxxxxxxxxx:table/user"         ],         "condition": {             "forallvalues:stringequals": {                 "dynamodb:leadingkeys": [                     "${cognito-identity.amazonaws.com:sub}"                 ]             }         }     } ]

}

but, when querying table using postman shown below:
enter image description here

i getting following error:

"__type": "com.amazon.coral.service#accessdeniedexception",   "message": "user: arn:aws:sts::xxxxxxxxxxxxx:assumed-role/achintest/backplaneassumerolesession not authorized perform: dynamodb:query on resource: arn:aws:dynamodb:us-east-1:xxxxxxxxxxxxx:table/user"

can please let me know mistake doing?

======== update ========

i tried using policy sim, , unable understand why query without leadingkey shown in pic below allowed.

enter image description here

and when provide leading key, says denied. see below pic:

enter image description here

it might depend on request you're issuing. iam policy using forallvalues takes every key of request consideration. policy may return false if key in request not match condition value in result.

try using foranyvalue , might trick.

see here more info.


-

Comments

Post a Comment

Popular posts from this blog

java - SSE Emitter : Manage timeouts and complete() -

i writing web app multiple listeners(evcentsource sse clients js) connected server . want store sse emitter per connected listener : can done in memory or other means assigning id each client able achieve far now question ; how send response/event specific client connected web app ? while doing sseemmiters stored either getting completed or timed out. how prevent ? how keep sseemmiter available open infinite time (till client closes) , send events selectively .
Read more

jquery - uncaught exception: DataTables Editor - remote hosting of code not allowed -

i'm trying implement crud operation using datatableseditor using datatables.but i'm getting error messages: 1)uncaught exception: datatables editor - remote hosting of code not allowed. please see http://editor.datatables.net details on how purchase editor license 2)typeerror: a.editor undefined 3) $.fn.datatable.editor not constructor" what reason? here configuration: <%@ page language="java" contenttype="text/html; charset=iso-8859-1" pageencoding="iso-8859-1"%> <!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <title>insert title here</title> <link rel="stylesheet" type="text/css" href="//cdn.datatables.net/1.10.12/css/jquery.datatables.min.css"> <link re...
Read more

java - How to resolve error - package com.squareup.okhttp3 doesn't exist? -

i trying convert json java object use of gson in maven, following youtube video guidance - https://www.youtube.com/watch?v=vqgghm9pwe0 , theres error occurs when in main class error - package com.squareup.okhttp3 doesn't exist. code below: java package com.codebeasty.json; import com.squareup.okhttp3.okhttpclient; public class main { private static okhttpclient client = new okhttpclient(); public static void main (string [] args) { } } i put in dependency in pom.xml: <dependencies> <dependency> <groupid>com.squareup.okhttp3</groupid> <artifactid>okhttp</artifactid> <version>3.4.2</version> </dependency> <dependency> <groupid>com.google.code.gson</groupid> <artifactid>gson</artifactid> <version>2.8.0</version> </dependency> </dependencies> i dont understand why doesn't recognize com.squareup. there may need download? have downl...
Read more