From e124c3a3e4e14fb744395157369535b6cf147c72 Mon Sep 17 00:00:00 2001
From: Darwin Chowdary <39110935+imabhichow@users.noreply.github.com>
Date: Fri, 27 Jun 2025 15:39:18 -0700
Subject: [PATCH] chore(cfn): add DescribeTable permission for legacy DDBEC
 support

---
 cfn/CI.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cfn/CI.yaml b/cfn/CI.yaml
index 3e7856fa8..a9d29a8a7 100644
--- a/cfn/CI.yaml
+++ b/cfn/CI.yaml
@@ -271,6 +271,13 @@ Resources:
               - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${SearchTestJavaTableName}/index/*"
               - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${SearchTestDotnetTableName}"
               - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${SearchTestDotnetTableName}/index/*"
+          # See: https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/python-using.html#python-helpers
+          # To use the client helper classes in DDBEC, the caller must have permission to call the DynamoDB DescribeTable operation on the target table.
+          - Effect: Allow
+            Action:
+              - dynamodb:DescribeTable
+            Resource:
+              - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName}"
 
   KMSUsage:
     Type: "AWS::IAM::ManagedPolicy"