TableGrants

class aws_cdk.aws_dynamodb.TableGrants(*, table, encrypted_resource=None, has_index=None, policy_resource=None, regions=None)

Bases: object

A set of permissions to grant on a Table.

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk import aws_dynamodb as dynamodb
from aws_cdk import aws_iam as iam
from aws_cdk.interfaces import aws_dynamodb as interfaces_aws_dynamodb

# encrypted_resource: iam.IEncryptedResource
# resource_with_policy_v2: iam.IResourceWithPolicyV2
# table_ref: interfaces_aws_dynamodb.ITableRef

table_grants = dynamodb.TableGrants(
    table=table_ref,

    # the properties below are optional
    encrypted_resource=encrypted_resource,
    has_index=False,
    policy_resource=resource_with_policy_v2,
    regions=["regions"]
)
Parameters:

  • table (ITableRef) – The table to grant permissions on.

  • encrypted_resource (Optional[IEncryptedResource]) – The encrypted resource on which actions will be allowed. Default: - No permission is added to the KMS key, even if it exists

  • has_index (Optional[bool]) – Whether this table has indexes. If so, permissions are granted on all table indexes as well. Default: false

  • policy_resource (Optional[IResourceWithPolicyV2]) – The resource with policy on which actions will be allowed. Default: - No resource policy is created

  • regions (Optional[Sequence[str]]) – Additional regions other than the main one that this table is replicated to. Default: - No regions

Methods

actions(grantee, *actions)

Adds an IAM policy statement associated with this table to an IAM principal’s policy.

If encryptionKey is present, appropriate grants to the key needs to be added separately using the table.encryptionKey.grant* methods.

Parameters:

  • grantee (IGrantable) – The principal (no-op if undefined).

  • actions (str) – The set of actions to allow (i.e. “dynamodb:PutItem”, “dynamodb:GetItem”, …).

Return type:

Grant

full_access(grantee)

Permits all DynamoDB operations (“dynamodb:*”) to an IAM principal.

Appropriate grants will also be added to the customer-managed KMS key if one was configured.

Parameters:

grantee (IGrantable) – The principal to grant access to.

Return type:

Grant

read_data(grantee)

Permits an IAM principal all data read operations from this table: BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, DescribeTable.

Appropriate grants will also be added to the customer-managed KMS key if one was configured.

Parameters:

grantee (IGrantable) – The principal to grant access to.

Return type:

Grant

read_write_data(grantee)

Permits an IAM principal to all data read/write operations to this table.

BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable

Appropriate grants will also be added to the customer-managed KMS key if one was configured.

Parameters:

grantee (IGrantable) – The principal to grant access to.

Return type:

Grant

write_data(grantee)

Permits an IAM principal all data write operations to this table: BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable.

Appropriate grants will also be added to the customer-managed KMS key if one was configured.

Parameters:

grantee (IGrantable) – The principal to grant access to.

Return type:

Grant