diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts index 56d3b32d59241..98fbf49c04bcc 100644 --- a/packages/@aws-cdk/aws-dynamodb/lib/table.ts +++ b/packages/@aws-cdk/aws-dynamodb/lib/table.ts @@ -219,6 +219,22 @@ export interface ITable extends IResource { */ readonly tableStreamArn?: string; + /** + * Adds an IAM policy statement associated with this table to an IAM + * principal's policy. + * @param grantee The principal (no-op if undefined) + * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...) + */ + grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; + + /** + * Adds an IAM policy statement associated with this table's stream to an + * IAM principal's policy. + * @param grantee The principal (no-op if undefined) + * @param actions The set of actions to allow (i.e. "dynamodb:DescribeStream", "dynamodb:GetRecords", ...) + */ + grantStream(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; + /** * Permits an IAM principal all data read operations from this table: * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan. @@ -256,6 +272,12 @@ export interface ITable extends IResource { */ grantReadWriteData(grantee: iam.IGrantable): iam.Grant; + /** + * Permits all DynamoDB operations ("dynamodb:*") to an IAM principal. + * @param grantee The principal to grant access to + */ + grantFullAccess(grantee: iam.IGrantable): iam.Grant; + /** * Metric for the number of Errors executing all Lambdas */ diff --git a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts index 4789564360e56..6575affc93740 100644 --- a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts +++ b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts @@ -1359,6 +1359,59 @@ describe('grants', () => { 'Users': [{ 'Ref': 'user2C2B57AE' }], }); }); + + test('grant for an imported table', () => { + // GIVEN + const stack = new Stack(); + const table = Table.fromTableName(stack, 'MyTable', 'my-table'); + const user = new iam.User(stack, 'user'); + + // WHEN + table.grant(user, 'dynamodb:*'); + + // THEN + expect(stack).toHaveResource('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'dynamodb:*', + Effect: 'Allow', + Resource: [ + { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':dynamodb:', + { + Ref: 'AWS::Region', + }, + ':', + { + Ref: 'AWS::AccountId', + }, + ':table/my-table', + ], + ], + }, + { + Ref: 'AWS::NoValue', + }, + ], + }, + ], + Version: '2012-10-17', + }, + Users: [ + { + Ref: 'user2C2B57AE', + }, + ], + }); + }); }); describe('secondary indexes', () => {