將資源型政策連接至現有 DynamoDB 資料表
您可以使用 DynamoDB 主控台、PutResourcePolicy API、AWS CLI、AWS SDK 或 CloudFormation 範本,將資源型政策連接至現有資料表,或修改現有政策。
下列 IAM 政策範例使用 put-resource-policy AWS CLI 指令,將資源型政策連接至現有資料表。此範例允許使用者 John 對名為 MusicCollection 的現有資料表執行 GetItem、PutItem、UpdateItem 與 UpdateTable API 動作。
請以資源特定資訊取代斜體文字。
aws dynamodb put-resource-policy \ --resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection\ --policy \ "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:user/John\" }, \"Action\": [ \"dynamodb:GetItem\", \"dynamodb:PutItem\", \"dynamodb:UpdateItem\", \"dynamodb:UpdateTable\" ], \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection\" } ] }"
若要有條件地更新資料表現有的資源型政策,您可以使用選用的 expected-revision-id 參數。下列範例僅當政策存在於 DynamoDB 且其目前修訂版 ID 符合提供的 expected-revision-id 參數時,才會更新政策。
aws dynamodb put-resource-policy \ --resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection\ --expected-revision-id 1709841168699 \ --policy \ "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:user/John\" }, \"Action\": [ \"dynamodb:GetItem\", \"dynamodb:UpdateItem\", \"dynamodb:UpdateTable\" ], \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection\" } ] }"
登入 AWS 管理主控台,並在 https://console.aws.amazon.com/dynamodb/
開啟 DynamoDB 主控台。 -
在儀表板中選取現有資料表。
-
前往權限分頁,然後選取建立資料表政策。
-
在資源型政策編輯器中,新增要附加的政策,然後選取建立政策。
下列 IAM 政策範例允許使用者
John對名為MusicCollection的現有資料表執行 GetItem、PutItem、UpdateItem 與 UpdateTable API 動作。請以資源特定資訊取代
斜體文字。
下列 IAM 政策範例使用 putResourcePolicy 方法,將資源型政策附加到現有資料表。此政策允許使用者在現有資料表上執行 GetItem API 操作。
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.dynamodb.DynamoDbClient; import software.amazon.awssdk.services.dynamodb.model.DynamoDbException; import software.amazon.awssdk.services.dynamodb.model.PutResourcePolicyRequest; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * Get started with the AWS SDK for Java 2.x */ public class PutResourcePolicy { public static void main(String[] args) { final String usage = """ Usage: <tableArn> <allowedAWSPrincipal> Where: tableArn - The Amazon DynamoDB table ARN to attach the policy to. For example, arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection. allowedAWSPrincipal - Allowed AWS principal ARN that the example policy will give access to. For example, arn:aws:iam::123456789012:user/John. """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String tableArn = args[0]; String allowedAWSPrincipal = args[1]; System.out.println("Attaching a resource-based policy to the Amazon DynamoDB table with ARN " + tableArn); Region region = Region.US_WEST_2; DynamoDbClient ddb = DynamoDbClient.builder() .region(region) .build(); String result = putResourcePolicy(ddb, tableArn, allowedAWSPrincipal); System.out.println("Revision ID for the attached policy is " + result); ddb.close(); } public static String putResourcePolicy(DynamoDbClient ddb, String tableArn, String allowedAWSPrincipal) { String policy = generatePolicy(tableArn, allowedAWSPrincipal); PutResourcePolicyRequest request = PutResourcePolicyRequest.builder() .policy(policy) .resourceArn(tableArn) .build(); try { return ddb.putResourcePolicy(request).revisionId(); } catch (DynamoDbException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } private static String generatePolicy(String tableArn, String allowedAWSPrincipal) { return "{\n" + " \"Version\": \"2012-10-17\",\n" + " \"Statement\": [\n" + " {\n" + " \"Effect\": \"Allow\",\n" + " \"Principal\": {\"AWS\":\"" + allowedAWSPrincipal + "\"},\n" + " \"Action\": [\n" + " \"dynamodb:GetItem\"\n" + " ],\n" + " \"Resource\": \"" + tableArn + "\"\n" + " }\n" + " ]\n" + "}"; } }
